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A STATUS UPDATE ON THE DEVELOPMENT 
OF VOLUNTARY DO-NOT-TRACK STANDARDS 


WEDNESDAY, APRIL 24, 2013 

U.S. Senate, 

Committee on Commerce, Science, and Transportation, 

Washington, DC. 

The committee met, pursuant to notice, at 2:38 p.m., in room 
SR-253, Russell Senate Office Building, Hon. John D. Rockefeller 
IV, Chairman of the Committee, presiding. 

OPENING STATEMENT OF HON. JOHN D. ROCKEFELLER IV, 
U.S. SENATOR FROM WEST VIRGINIA 

The Chairman. All right. This hearing will come to order. 

In February 2012, the Digital Advertising Alliance pledged that 
the online advertising industry would honor Do-Not-Track requests 
made by consumers. That commitment was supposed to happen by 
the end of the year which is called 2012. We are past that time. 

What it was supposed to mean, what that statement was sup- 
posed to mean was that when consumers made it clear they did not 
want advertisers to collect information about their Internet activi- 
ties, the advertisers would respect their wishes. It is now April 
2013, and consumers are still waiting for these Do-Not-Track 
standards. 

Advertising folks are continuing to ignore Do-Not-Track headers 
and consumers’ requests for privacy. There is a broad feeling that 
the advertisers, brokers, et cetera, data brokers, are just dragging 
their feet, and I believe they are, and I believe they are doing it 
purposely. 

I personally have long expressed skepticism about the ability or 
the willingness of companies to regulate themselves on behalf of 
consumers when it affects their bottom line. It is just the way I am 
made. It is my experience. And my service in West Virginia makes 
me have that — and my service on this committee really makes me 
feel very strongly about that. 

And that is why for the past two Congresses, I have introduced 
legislation that would create meaningful Do-Not-Track standards 
for consumers. I do not believe that companies with business mod- 
els based upon the collection and monetization of personal informa- 
tion will voluntarily stop these practices if it negatively impacts 
their profit margins. I just think that is the way corporations, with 
obviously a number of exceptions, are run. 

They are there to make money. And consumers, particularly 
when you get something like the Internet, which everybody wants, 
worships, and loves, that is even more so. 

( 1 ) 
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Having said that and disclosed what is a genuinely troublesome 
feeling that I have about the nature of corporations with a chance 
to make money, particularly when people don’t know what they are 
doing, in spite of that, I want to be open-minded today. I want to 
do my best. Senator Thune, to be open-minded. And I want to hear 
all sides on the matters at hand. 

For months, industry stakeholders, consumer groups, academics, 
and other interested parties have been in negotiation with the 
World Wide Web Consortium, known as W3C, attempting to reach 
an agreement on voluntary Do-Not-Track standards. But con- 
flicting reports about W3C negotiations continue to surface. 

On one side, I hear that online advertising industry is delib- 
erately dragging its feet, moving the goal posts, and refusing to 
stop collection practices that undermine the very essence of a 
meaningful Do-Not-Track standard. On the other side, I hear two 
software developers, in particular Microsoft and Mozilla — which I 
know are not necessarily popular with all of those at the desk that 
I am looking at in front of me — have prevented the W3C from forg- 
ing consensus on voluntary Do-Not-Track standards. 

In other words, people who want to do it by default, which, in 
many ways, I think is the best way to go, they don’t want to put 
up with that. So there is a meeting coming up in May, in Sunny- 
side, California. And I think the same problems will be stopping us 
then as are now. 

Today, I want to get to the bottom of this controversy, and I have 
got a great prosecuting attorney over there ready to jump in. I 
want the witnesses to publicly explain exactly what they believe 
has gone wrong and what they are prepared to offer to make Do- 
Not-Track a reality for consumers, as they said they were going to 
do. 

However, while I want to be fair and hear from all sides, I do 
not want to hear some of the familiar talking points that delib- 
erately serve no purpose but to confuse the debate. I will interrupt 
if that stuff starts coming up. 

I do not want to hear that Do-Not-Track would jeopardize anti- 
fraud efforts, cybersecurity, or the Internet itself with a strict pro- 
hibition on any collection of information because it is simply not 
true, and you know it is not true because we have written that into 
our latest bill. Small companies will be protected. 

Everyone acknowledges that some limited collection of informa- 
tion is necessary in order to fulfill basic functions. My own bill 
clearly provides for this. 

Furthermore, I do not want to hear assertions that the current 
self-regulatory scheme fulfills Do-Not-Track requests. You can try 
it. After I have heard it one and a half times, I will just stop it. 

A meaningful Do-Not-Track standard prohibits the collection of 
online information except for a few narrow purposes, and we all 
know what those are. Under the current Ad Choices Campaign op- 
erated by the advertising industry, companies continue to collect 
vast amounts of consumer information and only promise to not use 
this information for specific purposes, such as targeted advertising. 

In addition to my concerns that consumer choices are not being 
honored, I am also worried about the escalating rhetoric that we 
have witnessed in the past few months, that Chairwoman Ramirez 
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was subject to when she spoke recently at a meeting, basically on- 
line advertisers about Web browser developers. 

Browsers are attempting to provide consumers with greater pri- 
vacy protections, and ad networks are resisting these efforts. If you 
can say that I am wrong, please prove it to me. 

I am disturbed with the rhetoric from advertisers that suggest 
they might try to circumvent the sensible privacy protections that 
Web browsers are providing consumers. The nuclear option or the 
destruction — the end of the Internet, all this kind of stuff that you 
hear constantly from people who don’t want to do what they need 
to do. 

I urge everybody to take a deep breath, myself included, and tone 
down the rhetoric. We all need to remember that this debate is 
about consumers and their choices. That is what we do on this com- 
mittee. 

Consumers who may be happy to have their information collected 
for targeting advertising in some situations, but who may want ad- 
vertisers to completely leave them alone at other times. It is their 
choice. 

In this regard, I believe all sides should be prepared to com- 
promise in order to maximize protection for consumers. And I urge 
all of the witnesses today to spend less time attacking their oppo- 
nents and spend more time thinking about how we can honor and 
respect consumer preferences. 

That is the end of my statement. 

I call upon my distinguished and most excellent colleague. Sen- 
ator Thune. 


STATEMENT OF HON. JOHN THUNE, 

U.S. SENATOR FROM SOUTH DAKOTA 

Senator Thune. Thank you, Mr. Chairman, and thank you for 
holding this hearing as the Committee discusses and evaluates con- 
sumer habits in the digital online economy. 

Thank you also to all of the witnesses who are here today for 
providing testimony. 

Online commerce and Internet use are a substantial and growing 
part of our overall economy and everyday lives. According to the re- 
search firm eMarketer, nearly 150 million Americans were digital 
buyers in 2012, collectively spending more than $340 billion online. 
To court this growing consumer base, more than $37 billion was 
spent last year on digital advertising. 

As large as the online market already is, estimates for coming 
years predict continued growth. Both digital advertising and con- 
sumer spending are projected to grow by more than 50 percent by 
2016, when 25 million more Americans are expected to be digital 
consumers. 

The growing digital advertising industry provides thousands of 
small Web publishers, the so-called long tail of the market, with 
the revenue that they need to maintain their online presence. Con- 
textual advertising, like an ad for running shoes on a website ca- 
tering to runners, and general display ads make sense for some 
websites, but don’t necessarily make sense for all websites. 
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The market has responded by developing new and innovative 
ways to deliver relevant ads and content to Internet users, but this 
has raised questions about consumer expectations and privacy. 

It is my hope that today’s hearing will be a thoughtful discussion 
on how we can provide consumers with greater choice of services 
and products, as well as increased confidence that their Internet 
experiences will be safe. Federal Trade Commission Chairman — as 
you mentioned, Mr. Chairman — Ramirez recently gave a speech to 
the American Advertising Federation in which she said, and I 
quote, “An online advertising system that breeds consumer discom- 
fort is not a foundation for sustained growth.” I agree. 

And it is precisely because of that dynamic that I believe Web 
publishers, browsers, social networks, data analysts, and adver- 
tisers have an incentive to develop their practices to meet the 
evolving interests of consumers. I am interested to learn how ef- 
forts to regulate and legislate the intricacies of online commercial 
activity could impact the digital space. 

Will efforts to improve, or I should say will efforts to impose Do- 
Not-Track rules better protect consumers and grow online com- 
merce, or are there situations where they might diminish consumer 
privacy, inhibit consumer choice, or raise barriers to entry for new 
competitors in the online market? The largest browsers and pub- 
lishers have the means to adapt and survive in any environment, 
but smaller online companies and the choices they provide for con- 
sumers may not. 

I have faith that consumers armed with knowledge will take the 
time to make informed decisions in their own best interests. Con- 
sumers expect and seek more transparency, understanding, and 
control as they increasingly interact with online resources, and the 
market is responding. 

New tools are being presented and refined in response to con- 
sumers’ expectations. This spurs growth and innovation, which 
benefits both consumers and producers. 

I am interested in our witnesses’ views on the dynamic Internet 
ecosystem and the value and the status of industry-developed 
standards for online conduct. 

I thank all the — again, the witnesses for being here today. I look 
forward to hearing your testimony and to interacting with you as 
we ask you some questions. 

Thank you, Mr. Chairman. 

The Chairman. Thank you, sir. 

And now Senator McCaskill, who is Chair of the Subcommittee, 
and then Senator Heller. 

STATEMENT OF HON. CLAIRE McCASKILL, 

U.S. SENATOR FROM MISSOURI 

Senator McCaskill. I am just a little nervous because I am 
afraid you are going to cut me off. 

The Chairman. I doubt that. 

[Laughter.] 

Senator McCaskill. You doubt that I am nervous, or you doubt 
that you are going to cut me off? 

The Chairman. I have never seen you nervous. 



5 


Senator McCaskill. I have not prepared any opening statement. 
I am anxious to question the panel. 

I think privacy is an all-American goal, but so is the most vi- 
brant part of our economy. And what tech has done, the Internet 
has done for our economy is huge, and I want to make sure that 
we are balanced as we look at this issue in a way that protects con- 
sumers, but also makes sure that we don’t end up with one or two 
or three giant Internet companies with none of the little guys. 

Thank you, Mr. Chairman. 

The Chairman. Thank you. 

Senator Heller? 

STATEMENT OF HON. DEAN HELLER, 

U.S. SENATOR FROM NEVADA 

Senator Heller. Thank you, Mr. Chairman. Thanks for taking 
time on this important issue. I know it is important to you. 

I want to thank our witnesses for being here also today, and 
those who are interested in today’s discussion. 

I appreciate this hearing today to understand where the private 
sector is on voluntary Do-Not-Track agreements. This issue crys- 
tallizes the transactional nature of using the Internet. 

Whether consumers realize it or not, there is an exchange taking 
place when an individual launches their Internet on whatever de- 
vice they are using. In exchange for services, such as free search 
engines, free e-mail, free content on websites, free travel to destina- 
tions such as Las Vegas, free car rental bookings in places like Las 
Vegas 

[Laughter.] 

Senator Heller. — free dinner bookings to world-class res- 
taurants like in Las Vegas, these consumers, whether they know 
it or not, are being tracked. Some people don’t even know they are 
being tracked, and I, frankly, think some people don’t care. 

And as we all know, the World Wide Web Consortium, or W3C, 
has been working on an international set of standards in an effort 
to improve user privacy and user control by defining what a user 
should expect when opting for no tracking during their online ses- 
sions. 

We have been hearing from some of the W3C — for some time 
that W3C is spinning their wheels, unable to come to an agree- 
ment. The W3C, as a majority, has a major opportunity here on 
May 6 through 8 in California to come together and decide if they 
can reach an agreement, and I hope this will happen. I think that 
a result on this issue by the private sector is the most appropriate 
way to go. 

I would encourage the W3C to try to find to the fullest extent 
possible to uphold just a few principles, first being any solution 
must be technology neutral. Second, it must be business model 
neutral, and third, it must not pick winners and losers. 

I also want to point out how difficult a consensus will be to 
achieve. I think it is going to be very difficult. The W3C is made 
up of privacy groups, Web browsers, first-party advertisers, third- 
party advertising companies, and experts in the public sphere. 
There are many, many competing agendas here. 
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It is important that this committee attempts to better under- 
stand why coming to an agreement here is fleeting and perhaps en- 
courage that the private sector be able to reach a consensus. It is 
also important to understand that any solution that blocks third- 
party advertising companies from placing cookies on the Internet 
will have economic consequences. 

This sector provides many jobs and generates multibillions of dol- 
lars of economic activity, even in Las Vegas. Understanding exactly 
what first- and third-party tracking online and whether the con- 
sumer is harmed in some fashion or even cares is incredibly impor- 
tant for all of us to understand, especially if a Government solution 
is being considered. I think the last thing any member wants is to 
propose a solution that chills investment and innovations. 

The question really being discussed here is not whether tracking 
is happening, because it is. The question is whether harm actually 
exists, and what is that harm, and what is the appropriate solution 
to that? I believe the goal here is consumer education and choice, 
but it should be from the private sector. 

Thank you, Mr. Chairman. 

The Chairman. Thank you very much. Senator Heller. 

And with no disrespect to you, sir. 

STATEMENT OF HON. RON JOHNSON, 

U.S. SENATOR FROM WISCONSIN 

Senator Johnson. I am fine. Thanks. 

The Chairman. OK. Well, I know that. 

[Laughter.] 

The Chairman. Let us go right to questioning, and I will start. 
Oh, no, no, no. I do that all the time. 

[Laughter.] 

The Chairman. I am so in love with what I have to say that I 
just don’t even bother listening to the witnesses. So why don’t we 
try my bothering to listen to the witnesses today. 

Let us start with you, Mr. Anderson. Actually, I think that is the 
third or fourth time I have done that. Oh, well. 

STATEMENT OF HARVEY ANDERSON, SENIOR VICE 
PRESIDENT, BUSINESS AND LEGAL AFFAIRS, MOZILLA 

Mr. Anderson. Thank you. Chairman, Ranking Member Thune, 
and other members of the Committee. We appreciate the oppor- 
tunity to testify today on the status of Do-Not-Track. 

I am Harvey Anderson. I lead the business, legal, and public pol- 
icy teams for Mozilla. Mozilla is the maker of the Firefox browser 
used by 450 million people worldwide. We developed Firefox to 
bring competition to the browser market nearly 10 years ago and 
to promote an open, innovative Web. 

We were the first to include Do-Not-Track with the setting as 
Do-Not-Track off by default. We try to be an agent for the user to 
help users navigate their digital lives in ways that make sense to 
them. 

A couple comments. The Internet is the most significant social 
and technological development of our time. However, the Internet 
is very, very young, maybe 9,000 days young. Let us put that in 
perspective in terms of the World Wide Web. 
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So this means that mainstream users do not necessarily have a 
historical set of norms or expectations to guide their digital choices. 
The Web has also created new and unparalleled opportunities on- 
line that produce unimaginable amounts of data. At the same time, 
there are no clear parameters or boundaries on data practices other 
than those that are codified by law or regulatory bodies. So accept- 
able collection and use norms are still evolving. 

We cannot often not predict what models the current technology 
will enable. Lou Montulli and John Giannandrea, they were col- 
leagues of mine at Netscape, developed the cookie to solve a very 
real technical problem, to store state and invent the notion of a ses- 
sion over several HTTP requests. Few would have imagined a 
whole industry built upon the cookie. 

The online ad business, as you mentioned, has grown to a record- 
breaking $37 billion in 2012. This means change will be met with 
resistance by incumbent interests with arguments that I have 
heard such as change is bad for competition or that it will decrease 
revenue. We should question whether protecting business models 
that lack transparency is actually protecting competition. 

Historically, there have been many profitable business models 
that have challenged our norms, but profits don’t always justify 
practices. Similar arguments were made when Firefox blocked pop- 
up ads. They said it will destroy the industry, but it seems it has 
not hindered the success of the online ad industry today. 

It was nearly a year ago when my colleague Alex Fowler reported 
on the status of DNT before this committee, and since that time, 
the industry has not moved forward quickly enough, in our opinion. 
Consumers have shown increased concern about online tracking 
and privacy. More users are sending DNT signals than ever, and 
yet the efficacy of the Ad Choices Program remains questionable. 

Consumer concerns over online tracking persists, as shown by 
numerous independent studies referenced in our written testimony. 
Our own adoption of consumer sentiment data shows support for 
DNT. Do-Not-Track adoption by Firefox users in the U.S. is rough- 
ly 17 percent. It is pretty consistent across all the states. 

Consumer engagement with the DAA Ad Choices Program re- 
mains low. Last month, the industry reported more than a trillion 
ads per month included the Ad Choices icon, but only 1 million 
users have opted out of all interest-based advertising. 

The claims that this low opt-out rate prove that consumers are 
OK with the tracking and collection belie the facts as shown by the 
actual DNT adoption and consumer surveys. Currently, DNT sig- 
nals are largely ignored by ad networks. We estimate that Firefox 
users send more than 135 million DNT signals every day. That is 
more than 4 trillion every month, 4 trillion every month, that go 
unanswered. 

Over the past year, we have observed the trends that charac- 
terize the DNT work of the W3C as part of industry self-regulation. 
The W3C is neither the industry nor a self-regulatory effort on its 
own. The W3C codifies technical standards for issues that are ei- 
ther well understood and agreed upon in advance or problematic 
for a set of stakeholders motivated to find a common solution. It 
is also not designed to replace regulation and enforcement. 
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Ultimately, the question here is not about the standards process, 
but about responding to the 45 million Firefox users and IE users 
who are simply saying don’t track me. The DNT standard doesn’t 
have to be final at the W3C to get started. We would like to see 
more of the industry move forward and begin implementing DNT 
now. 

We applaud leading companies like Twitter, AP, and Jumptap, 
and the quiet supporters, many who are DAA members, who adopt- 
ed DNT, all without waiting for a final W3C spec. Apparently, it 
takes neither a law nor a finalized W3C spec to do the right thing. 

What is at stake is not money here, but trust. To date, the de- 
bate is focused on the threat to those revenue models that are 
based on tracking. But the loss of user trust is far more dangerous 
than the potential lost revenues. 

Trust is the true currency that needs to be protected. The lack 
of trust stems from users not understanding the value proposition 
of online tracking. This is where industry can really make a dif- 
ference. If users don’t understand what happens to their data, how 
it is used, or the tradeoffs, they will inevitably seek more protective 
blocking options. 

Efforts to protect the status quo further erode people’s trust, 
thereby compromising future expansion of commerce and innova- 
tion online. We want to help the ad and publishing industries cre- 
ate a paradigm of trust that both respects users and supports com- 
merce. 

We recognize the current opt-out system represents significant 
efforts. The work the DAA has done is — should be acknowledged. 
That is a lot of work to get industry to do one thing comprehen- 
sively. 

We also know that legislating technology is risky. Given the cur- 
rent environment, though, it is clear that more is required, includ- 
ing continued congressional oversight. As we and industry thought 
leaders have observed, there is a better way to gain the users’ 
trust. Real transparency of data practices, combined with meaning- 
ful user choice, will engender the confidence users expect. 

Thank you again for the opportunity to testify today. 

[The prepared statement of Mr. Anderson follows:] 

Prepared Statement of Harvey Anderson, Senior Vice President, Business 
AND Legal Affairs, Mozilla 

Chairman Rockefeller, Ranking Member Thune, and other members of the Com- 
mittee, thank you for the opportunity to testify on the need for privacy protections, 
the status of self-regulation and Do Not Track (DNT). 

I am Harvey Anderson, I lead the business, legal, and public policy teams for 
Mozilla. In addition to commercial and legal responsibilities, this role also captures 
the intersection of product and policy initiatives such as DNT, leadership on open 
Internet issues, net neutrality, copyright reform, and Internet governance. I have 
practiced in the technology sector for the past 20 years, and have worked in the 
internet domain since I first joined Netscape in the mid 1990s. 

Mozilla is the maker of the Firefox browser used by 460 million people worldwide. 
We developed Firefox to bring competition to the browser market, and to promote 
openness, innovation, and opportunity online. We do not own or operate a search 
or advertising business, yet like most online ventures, our revenues are based on 
advertising and commerce. We view ourselves as “an agent of the user” whose role 
is to help users navigate their digital lives in ways that make sense to them. Mozilla 
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was voted the Most Trusted Internet Company for Privacy in 2012 by the Ponemon 
Institute, as well as a top 20 overall trusted brand for privacy.^ 

When we testified here last time on this topic, we told you that: 

• Industry self-regulation can work when it is a multi-stakeholder process that 
reflects the views of all of the relevant parties involved in data transactions. 

• Regulatory measures can introduce unintended consequences that can be harm- 
ful to a fragile Web ecosystem. 

• Enabling economic ecosystems on the Web is essential to a robust and healthy 
Internet; however, commercial imperatives and user choice/control are not mu- 
tually exclusive. They can and must coexist through a combination of technical 
capabilities and user-centric business and data practices. 

• The multi-stakeholder process occurring at the W3C will result in a consensus 
on both the meaning of DNT and how websites should respond. 

Those statements stand true today and are still timely for your consideration. Our 
goal today is to provide further context, an update on recent market developments, 
and insights that can assist your evaluation of whether current self-regulatory ef- 
forts are adequate. To achieve this, I will touch on the following topics: 

• The Internet environment; 

• What has happened since the June 2012 hearing by this committee on DNT; 
and 

• Expectations of the W3C standards process for online tracking. 

My testimony today will not cover Mozilla’s current evaluation of a new third- 
party cookie policy in Firefox. That work is ongoing as we engage with the full spec- 
trum of stakeholders, including our users, developers, advocates and business lead- 
ers. We would be pleased to come back at a later date to update members of this 
Committee on browser product features that give more options to manage cookies. 

Internet Environment 

The Internet is the most significant social and technological development of our 
time. However, the Internet is young, very young — maybe 9,000 days since the evo- 
lution of the World Wide Web. As a result, we are all still finding our way in this 
evolving environment. This means that mainstream users do not necessarily have 
a historical set of norms or expectations to guide their digital choices, they do not 
always understand the consequences of their online actions and the trade-offs im- 
plicit in getting services for “free,” or what happens “behind the scenes” with their 
data. 

The Web ecosystem has also created new and unparalleled opportunities online 
that produce unimaginable amounts of data and possibility for new products, serv- 
ices and relationships. Google’s Eric Schmidt observed in 2010 that “we create as 
much information in two days now as we did from the dawn of man through 2003.”^ 
At the same time, there are no clear parameters or boundaries other than those that 
are codified by legislative and regulatory bodies or by industry practices. So accept- 
able collection and use norms are still evolving. Notwithstanding the current en- 
tropy in the market, this is a natural form of evolution which should temper both 
expectations and desires to intervene prematurely. 

Commercial models are also evolving on top of this ever-changing technological 
landscape. We often cannot predict what models the current technology will enable. 
Consider the models based on the cookie. Lou Montulli and John Giannandria, col- 
leagues of mine at Netscape, developed the cookie to solve a very real technical 
problem — to store state and invent the notion of a “session” over several HTTP re- 
quests. It is safe to say they would have never imagined a whole industry built upon 
a technical construct like the cookie and the data practices it enables. 

During this same period, the digital advertising business has grown, reaching a 
record-breaking $36.6 billion in 2012 ^ — so there is real money at stake. This means 
any change will be met with resistance by inherent incumbent interests. We have 
seen these arguments in this debate expressed as change is bad for competition or 
will decrease revenue. We should question whether protecting business models that 
lack transparency is “protecting or promoting competition” — particularly models 


^2012 Most Trusted Companies for Privacy, Ponemon Institute, January 28, 2013; http:! ! 
www.ponemon.orgj local / upload I file / 2012%20MTC%20Report%20FINAL.pdf 
^Techonomy Conference, Lake Tahoe, California, August 4, 2010; http:! jtechonomy. com! 

^lAB Internet Advertising Revenue Report, Interactive Advertising Bureau and 

PricewaterhouseCoopers, April 2013; http:! j www.iab.net j media ! file j lAB Internet Advertis 

ing Revenue Report_FY_2012.pdf 
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that use data in ways that people do not understand or expect. Historically, there 
have been many profitable models that have challenged our norms, but the fact that 
they were profitable neither sanctioned them nor justified their preservation. It is 
worth pointing out that the widespread adoption of pop-up blocking by browsers, 
which Mozilla led many years ago and was initially labeled “bad for advertising,” 
has clearly done nothing to hinder the success or innovation of online marketers or 
the operation of websites. 

At the same time, a new paradigm has developed that pits “what can be done” 
against “what should be done.” We face this challenge often at Mozilla. Although 
we employ privacy by design and use transparency, choice, and control as guiding 
principles, the application is not always easy. For example we internally debate 
whether the functionality and configuration for a new product or service provides 
enough informed choice, the right choices, which defaults make sense, and whether 
user experience is compromised. No doubt this body is no stranger to extended de- 
bate given the vast constituencies you represent. The point here is that the applica- 
tion of our values is still under development and that application changes based on 
context while the values do not. We all remain in search of that delicate balance 
that allows for aggressive innovation and competition, but that also respects user 
intent, expectations, and ultimately creates trust. This is part of the backdrop that 
should inform what we expect from business solutions, technical standards and self- 
regulatory programs. 

Developments Sinee June 2012 

It was nearly a year ago when Alex Fowler, my colleague and Chief Privacy Offi- 
cer of Mozilla, sat at this table to report on the status of DNT. Since that time, the 
industry has not moved forward quickly enough, consumers have shown increased 
concern about online tracking and privacy, more users are sending DNT signals, and 
yet the efficacy of the Ad Choice program remains questionable. 

Consumer concerns over online tracking persist and continue to grow. A study 
published by the prominent industry analyst group Ovum, found that 68 percent of 
the Internef users across 11 countries would select Do Not Track if easily available 
to them. The group also found that only 14 percent of respondents believe Internet 
companies are honest about their use of consumers’ personal data.'' Similarly, re- 
search at UC Berkeley’s Center for Law and Technology found that over 60 percent 
of users want DNT to prevent the collection of information about their online activi- 
ties.® 

Our own data continues to show strong user support for and steady adoption of 
DNT. We see this in actual adoption and consumer sentiment. DNT adoption in the 
U.S. Firefox user base is approximately 17 percent. Globally, the average is 11 per- 
cent. Statewide Firefox DNT adoption rates are outlined in fhe table below.® 


Ovum predicts turbulence for the Internet economy, as more than two-thirds of consumers say 

‘no’ to Internet tracking, February 6, 2013; http: 1 1 ovum.com I press releaseslovum-predicts-tur- 

bulence-for-the-internet-economy-as-more-than-two-thirds-of-consumers-say-no-to-internet- 

tracking! 

^Privacy and Modern Advertising: Most U.S. Internet Users Want “Do Not Track’’ to Stop Col- 
lection of Data About their Online Activities, Chris Jay Hoofnagle, Jennifer Urban and Su Li, 
Oct. 8, 2012; http:! Iwww.law.berkeley.edulprivacysurvey.htm 
® Anyone with a website and access to a web server can start counting how many users are 
sending DNT:1, which is how the signal is expressed via HTTP requests. 
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Table: User Adoption Averages in the U.S. for Do Not Track in Firefox 

United States 


Alabama 

18 %- 

Alaska 

17 % - 

Arizona 

19 %- 

Arkansas 

19 %- 

California 

17 % - 

Colorado 

18 %- 

Cwmecticut 

17 %- 

Delaware 

16 %- 

D.C. 

15 %- 

Florida 

18 %- 

Georgia 

18 %- 

Hawaii 

17 %- 

Idaho 

17 % - 

Illinois 

16 %- 

Indiana 

17 %- 

Iowa 

18 %- 

Kansas 

17 %- 

Kentucky 

18 %- 

Louisiana 

17 % - 

.Maine 

19 %- 

Maryland 

17 % - 

Massachusetts 

16 %- 

.Michigan 

17 %- 

Minnesota 

16 %- 

Mississippi 

17 %- 

Missouri 

18 %- 

Montana 

18 %- 

Netvaska 

16 %- 

Nevada 

17 % - 

New Hampshire 

18 %- 

New Jersey 

16 %- 

New Mexico 

18 %- 

New York 

16 %- 

N. Carolina 

18 %- 

N. Dakou 

17 % - 

Ohio 

17 %- 

Oklahonu 

19 %- 

Oregon 

19 %- 

Pennsylvania 

17 %- 

Rhode Island 

17 % - 

S. Carolina 

18 %- 

S. Dakou 

18 %- 

Tennessee 

17 %- 

Texas 

17 % 

Utah 

14 % - 

Vermont 

18 %- 

Virginia 

18 %- 

Washington 

19 %- 

W. Virpnia 

19 %- 

Wisconsin 

18 %- 

Wyoming 

17 % - 







Source: Mozilla, April 2013 


Consumer concerns over online tracking and privacy are real. Surveys of our user 
base consistently show concern about online privacy. Only 13 percent of respondents 
believe their privacy is being respected online. More importantly, over 60 percent 
of those polled want DNT to cover hoth collection and use by companies online in 
either a first- or third-party context. At the same time, the prevalence of non-trans- 
parent online tracking continues to grow year over year. A recent Evidon study 
showed a 53 percent increase in trackers from the prior year.^ Even more alarming, 
only 45 percent of the tracking tags identified by Evidon were placed there by the 
publisher of the site. 

The efficacy of the Digital Advertising Alliance (DAA) Ad Choices program, which 
is still only in heta after several years of development, remains low. Many stake- 
holders view this as an indicator of the inadequacy of the industry-led, self-regu- 
latory program. Last year, according to one study, the number of users who viewed 
the icon was low: 0.0035 percent of users clicked, and only 1 in 20 of those actually 
opted out.® Last month, the industry reported that more than a trillion ads per 
month include the Ad Choices icon — a blue triangular icon that when clicked, takes 
consumers to a page where they can learn about the ad, and opt out of receiving 
it. Only five million users have accessed the choice tool, and 1 million of those have 
opted out of all interest-based advertising.® The claims that this low opt-out rate 
prove that consumers are “OK” with the tracking and collection practices associated 
with cookies clearly do not square with the overwhelming research that consistently 
finds that the majority of consumers are concerned with being tracked across the 
Web. They also do not square with the 11 percent of Firefox users who have turned 
on Do Not Track. 


'^Evidon, a firm that administers the ad industries’ Ad Choices program for more than $2 bil- 
lion of display media and e-commerce transactions annually, measured sites across the Internet 
and found 987 weh-tracking tags from ad servers, analytics companies, audience-segmenting 
firms, social networks and sharing tools, which represented a 53 percent increase from the 645 
unique trackers found in previous studies. 

®Leon, P. et al., What Do Online Behavioral Advertising Disclosures Communicate to Users? 
April 13, 2012; httpil ! ivww.cylab.emu.edu / files / ndfs I tech reports / CMUCyLahl2008.pdf 

® “Opinion: Harnessing the power of digital advertising,” Lou Mastria, Politco, March 10, 2013; 
http:! / www.politico.com I story 1 2013 1 03 1 harnessing-the-power-of-digital-advertising-88668.html 
#ixzz2QrUsIElS 

i®A common practice would he to gather user data to test the impact of the program. The 
results of A/B testing and user group studies on the Ad Choices user experience may be helpful 

Continued 
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Currently, DNT signals are largely ignored by ad networks. We estimate that ap- 
proximately 45 million Firefox users send more than 135 million DNT signals every- 
day — more than four trillion every month — that mostly go unanswered. As discussed 
at the last DNT hearing, Microsoft adopted DNT and made it a default setting in 
their latest versions of Internet Explorer (IE). The position from the ad industry’s 
trade groups, paraphrasing of course, is that their members can ignore DNT signals 
sent by users of lE.^i This was followed by a similar statement by Yahoo! that it 
intended to disregard DNT signals coming from IE users. The rationale: DNT sig- 
nals from IE do not represent a real user choice because it is on by default. So, in 
the interim, both Firefox users sending DNT signals every day and those IE users 
for whom the DNT signal represents their real choice are ignored. It does not have 
to be this way. The industry could incrementally respond in parallel while the 
standard is being finalized, and could always prompt an IE user to confirm his/her 
choice. 

What to Expect from a Standards Process 

Over the past year, we have been troubled by a trend to characterize the ongoing 
standardization work on DNT by the W3C as a part of industry self-regulation. 
First, the W3C is neither the industry, nor the proper vehicle on its own to establish 
a self-regulatory program. It is a technical standards group. The W3C’s Tracking 
Protection Working Group is not an extension of the DAA’s Ad Choices program. 
The W3C is a body that codifies technical standards for issues that are either well 
understood and agreed upon in advance, or problematic for a set of stakeholders 
who are motivated to find a common solution. The W3C, or any technical standards 
group for that matter, is not intended to develop mechanisms that replace regula- 
tion and enforcement. Most standards groups are intended to be voluntary with a 
focus on improving issues like interoperability, efficiency, performance and trans- 
parency. This drives competition toward quality of implementation (efficiency/per- 
formance) and away from fragmentation. 

The group is currently in the drafting stage which is now co-chaired by Professor 
Peter Swire who testified at last year’s DNT hearing. This will be followed by a pe- 
riod of testing at Internet scale. In fact, our discussions with members of the group 
reveal that we may be very close to signing off on the Tracking Preference Expres- 
sion specification, which covers the client-server architecture for DNT.i'^ Stake- 
holders that are standing by, waiting for the W3C to “complete” its work are mis- 
guided. Technical standards are adopted only after drafting, testing, refining and fi- 
nalizing. But nothing prohibits de facto adoption during this process. Thus, argu- 
ments that shift blame exclusively to the W3C are dubious. At the same time, regu- 
latory groups in the U.S. and abroad should not hold back enforcement of its local 
laws in deference to the work happening within the W3C. 

Ultimately, the question here is not about the standards process, but about re- 
sponding to the tens of millions of consumers every day who are sending a DNT 
signal expressing a concern about their privacy and online tracking. There are many 
examples of how other markets react to guidance from their consumers. For exam- 
ple, car owners expressed preferences about the need for better gas mileage from 
their cars. They might not have immediately perceived that this could have an im- 
pact on the oil industry, influenced manufacturing, or that the solution was electric 
or hybrid cars, but the market did not ignore the signals. Rather, the market pro- 
vided basic education and responded to the demand. Here, in the DNT context users 
are saying, “do not track me.” They may not know exactly what it means in every 
detail or nuance, but they understand enough without the extensive explanation 
called for by some. 

The DNT standard does not have to be final at the W3C before implementation 
begins. We would like to see more of the industry move forward and begin imple- 
menting DNT now. This is how Web standards are established — they must be 
iterative and user/developer-tested. It is how HTML5 was developed — some set of 
players adopt an approach that looks promising, they work out the kinks through 
use, and over time codify it. This practice is borne from the experience that if you 
wait to work out the perfect specification, you’ll never get anything done. 


to this Committee as it seeks to understand the effectiveness of the current self-regulatory ef- 
fort. 

Statement on DNT Browser Settings, October 09, 2012; http:! I www.businesswire.com ! 
news I home 1 20121009005980 1 en j DAA-Statement-DNT-Browser-Settings 
'^^In Support of a Personalized User Experience, October 26, 2012; http:! /www.ypolicy 
blog.com I policyblog 1 2012 1 10 1 26 1 dntj 

13 See http:! ! www.w3.org ! 2011 j tracking-protection ! 

See http: / / www. w3. org 1201 1 ! tracking-protection ! drafts / tracking-dnt.html 
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We are encouraged by some publishers, advertisers and other companies in the 
ecosystem who have put DNT into effect for their businesses. We applaud leading 
companies like Twitter, the Associated Press and Jumptap who have voluntarily im- 
plemented DNT and are trying to respond to the expression of user intent — all with- 
out waiting for a W3C pronouncement. We are also aware of many more compa- 
nies across the advertising and publishing industries quietly supporting users who 
have enabled DNT, including DAA member companies. Apparently, it takes neither 
a law nor a finalized W3C specification to do the right thing. 

What is at stake is not money, but trust. To date the debate has focused on the 
threat to those revenue models that are based on tracking. But, the loss of user 
trust is far more dangerous than potential lost revenues. Trust is the true currency 
that needs to be protected. 

The lack of trust stems from users not understanding the value proposition of on- 
line tracking. Former LAB Chair, Jim Spanfeller, recently wrote in an op-ed, “[B]y 
doing unto others what we want done to us, we will enter into a more trusted eco- 
system. Business, information exchange, spontaneous discovery and overall satisfac- 
tion will thrive in ways that have become increasingly difficult due to black hat ac- 
tivities perpetrated partly in the name of advertising efficiencies.” This trust gives 
rise to increased participation and will foster new jobs. Similarly, Pam Horan, the 
Online Publishers Association’s President, wrote in an op-ed, “Ultimately this is 
about fostering a healthy environment where consumers feel safe online. It is hard 
to dispute that without this baseline acknowledgement of consumers’ expectations, 
our entire ecosystem will be compromised.” 

This is where industry can really make a difference. If users do not understand 
what happens to their data, how it is used, or the trade-offs, they will inevitably 
seek more protective blocking options. Conversely, we may see the adoption of more 
invasive and even less transparent tracking methods. The impact is that efforts to 
protect the status quo further erode people’s trust in the ecosystem, thereby compro- 
mising future expansion of commerce and innovative growth of this ecosystem. Per- 
sonalized content is good, however, the collective challenge we face is how to deliver 
that content transparently. 

The future of a viable, innovative Web that continues to contribute jobs and drive 
social, educational and economic activity depends on consumer trust. To develop this 
trust, transparency, choice and control are essential. Real transparency of business 
and data sharing practices combined with meaningful user choice will engender the 
confidence users expect. With this as a baseline, I suspect survey results would be 
dramatically different and users may very well even opt-in to forms of tracking and 
data collection they understand and find valuable. 

We saw a similar reaction in the early years of online commerce. People were 
afraid to use credit cards on the Internet until encryption was readily used and then 
users began to trust the practices that supported online electronic purchases. We 
believe it is in the industry’s own best interest to aggressively seek long-term, pri- 
vacy-preserving and economically sound approaches to behavioral targeting and per- 
sonalization that foster trust and greater participation and sharing of data. As the 
OPA’s Pam Horan observed, “Although change can be hard for any industry, it can 
also be a catalyst for better content services and privacy protections in the Internet 
ecosystem . . .” 

We want to help the advertising and publishing industries create a paradigm of 
trust that both respects users and supports commerce. We recognize that the cur- 
rent opt-out system is in many ways a significant achievement — it is no small task 
to achieve comprehensive industry behavioral change. We also recognize that legis- 
lating technology is challenging and risky — but we can articulate clear values. Given 
the low participation rates of the current voluntary opt-out system, the increasing 
concern of consumers, and the increasing volume of DNT signals that remain unan- 
swered from users across the United States, it is clear that more is required — in- 
cluding continued congressional oversight. As we and industry thought leaders have 
observed, there is a better way to gain the user’s trust — through choice, control and 
transparency, and meaningful engagement with the user on the benefits and trade- 
offs of the current tracking practices. 


i®See http:j I www.donottrack.us I implementations 

i6“Firefox Cookie-Block Is The First Step Toward A Better Tomorrow,” Jim Spanfeller, 
AdExchanger, March 18, 2013; http: I / www.adexchanger.com I the-sell-sider I firefox-cookie-block- 
is-the-first-step-toward-a-better-tomorrow ! 

“Relax, Mozilla’s Move Will Not Break the Ad-Supported Internet,” Pam Horan, Ad Age, 
April 02, 2013; http: j I adage.com I article I guest-columnists I mozilla-move-break-ad-supported- 
internet / 240663 / 

^»Ibid. 
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Thank you, again, Senator Rockefeller, Ranking Member Thune, and members of 
the Committee for the opportunity to join you today. 

The Chairman. Thank you, Mr. Anderson, very much. 

And now Mr. Mastria? 

STATEMENT OF LUIGI MASTRIA, CIPP, CISSP, MANAGING 
DIRECTOR, DIGITAL ADVERTISING ALLIANCE 

Mr. Mastria. Chairman Rockefeller, Ranking Member Thune, 
and members of the Committee, thank you for the opportunity to 
testify today. 

My name is Lou Mastria, and I am the Managing Director of the 
Digital Advertising Alliance. 

The DAA is a nonprofit organization led by the leading adver- 
tising and marketing trade associations, representing more than 
5,000 U.S. corporations. The DAA administers a comprehensive 
program of industry self-regulation for online data collection that 
provides enhanced consumer transparency and choice. 

The DAA’s Choice program also appropriately preserves con- 
sumers’ strong preference for free, ad-supported content powered 
by relevant advertising, an approach that has helped sustain the 
astonishing growth and ever-expanding variety of Internet services 
and content. The DAA is the only program in the marketplace 
today that successfully provides an end-to-end system for control- 
ling Web viewing data collected across unrelated sites. 

This system is backed by strong and credible enforcement by the 
Council of Better Business Bureau and the DMA. The DAA pro- 
vides enhanced transparency via the ubiquitous triangular blue 
icon from which consumers can access the DAA’s universal, easy- 
to-use choice mechanism. 

Since the program’s launch, more than 23 million consumers 
have visited the DAA portal and education sites to learn about 
their choices. More than 8 million have visited the DAA opt-out 
tool, and nearly 2 million have taken action to exercise their choice. 

I would like to emphasize five attributes of the DAA program 
that are frequently misrepresented by our critics. First, from its 
launch, the DAA has offered a simple, easy-to-use, one-button 
choice mechanism that works regardless of the type of browser 
used. 

Second, the DAA principles apply to the collection of all Web 
viewing data across unrelated sites, not just data collected for ad- 
vertising purposes. 

Third, the DAA offers users persistent choice, that is to say 
choice that exists even after deletion of cookies. 

Fourth, the DAA principles restrict both the collection and the 
use of data. 

Fifth, the DAA’s enforcement applies to all marketplace partici- 
pants, regardless of whether they have enrolled in the DAA pro- 
gram. 

At a highly publicized White House event last year announcing 
President Obama’s framework for privacy, the then chairman of the 
Federal Trade Commission and the Secretary of Commerce, along 
with White House officials, publicly praised and endorsed the 
DAA’s initiative. In fact, a senior White House official stated that 
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the DAA is “an example of the value of industry leadership as a 
critical part of privacy protection going forward.” 

At this event, the DAA announced an agreement to honor the 
DAA principles through a browser signal when a consumer both re- 
ceives meaningful information about the effect of that choice and 
affirmatively makes that choice themselves. Unfortunately, the 
DAA agreement at the White House was short-circuited, due to 
contrary approaches taken by both Microsoft and Mozilla. 

Microsoft subsequently released its new version of IE 10 with 
what is “Do-Not-Track” turned on by default. This is in direct con- 
flict with the agreement they helped develop at the White House. 

In February this year, Mozilla announced that it will block third- 
party cookies. These actions do not advance consumer choice, and 
they will have a significant adverse effect on users’ Internet experi- 
ence. 

Cookies set by third parties play a vital role in the Internet eco- 
system by facilitating consumer access to content and services. 
Blocking of third-party cookies would simply disrupt consumer’s on- 
line experience on the websites they use by reducing content per- 
sonalization and the relevancy of ads that they receive. 

This change would harm all Internet content services that use 
third-party technologies to understand and protect their audiences. 
In particular, it would disproportionately harm the numerous small 
publishers that are completely reliant on these technologies to op- 
erate and monetize their sites, thereby thwarting new job creation 
and chilling innovation. 

For more than 4 years, the DAA has been responsive to the con- 
cerns of consumer advocates, regulators, and legislators. The DAA’s 
initial advertising principles met the FTC’s call for enhanced trans- 
parency. The DAA’s multisite data principles again met the call of 
regulators and consumer advocates to extend choice to all Web 
viewing data. 

At the White House, again DAA, responding to regulators, agreed 
to honor its principles through a browser setting that would com- 
plement DAA’s existing choice mechanism. And soon the DAA will 
announce detailed guidance that provides transparency and control 
for the mobile Web applications and marketplace. 

To be clear, the DAA is the solution provider here, not the prob- 
lem. We are the only entity that actually delivered choice for con- 
sumers. 

Today, the DAA calls on all stakeholders, including the FTC, the 
W3C, Microsoft, and Mozilla, to honor the terms of the ^^ite 
House announcement and remove impediments that are preventing 
implementation of browser-driven choice for consumers. 

Thank you. 

[The prepared statement of Mr. Mastria follows:] 

Prepared Statement of Luigi Mastria, CIPP, CISSP, Managing Director, 
Digital Advertising Alliance 

Chairman Rockefeller, Ranking Member Thune, and Members of the Committee, 
good afternoon and thank you for the opportunity to speak at this important hear- 
ing. 

My name is Lou Mastria. I am Managing Director of the Digital Advertising Alli- 
ance (“DAA”) and I am pleased to report to the Committee on the substantial 
progress of our Self-Regulatory Program. 
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The DAA is a non-profit organization led by the leading advertising and mar- 
keting trade associations including the Association of National Advertisers (“ANA”), 
the American Association of Advertising Agencies (“4As”), the Direct Marketing As- 
sociation (“DMA”), the Interactive Advertising Bureau (“TAB”), the American Adver- 
tising Federation (“AAF”), and the Network Advertising Initiative (“NAI”) in con- 
sultation with the Council of Better Business Bureaus (“CBBB”). These organiza- 
tions came together in 2008 to start developing the Self-Regulatory Principles for 
Online Behavioral Advertising, which were extended in 2011, beyond advertising, to 
cover the collection and use of Multi-Site Data across non-Affiliate sites over time. 
The DAA was formed to administer and promote these responsible comprehensive 
Self-Regulatory Principles for online data collection and use. 

In response to the Chairman’s request for a status update on steps industry 
stakeholders have taken to fulfill their commitment to honor Do-Not-Track requests 
from consumers.'^ Since the fall of 2010, the DAA and its participants have been pro- 
viding uniform choice to consumers. The DAA Program provides consumers with a 
one-button choice mechanism to stop the collection and use of web viewing data. 
This choice mechanism, which is consistent with the recommendations of the Fed- 
eral Trade Commission (“FTC”) is being implemented: (1) to universally apply to all 
parties that collect web viewing data across nonaffiliated sites over time; (2) to be 
easy to find, understand, and use; (3) to make consumers’ choices persistent; (4) to 
be effective and enforceable; and (5) to apply beyond simply opting out of receiving 
interest-based tailored ads.^ Furthermore, our program and choice tools share and 
meet the goals of the Chairman’s legislation — providing individuals with a simple 
and easy means to indicate their preference about the collection of such online view- 
ing data. Unfortunately, some browser manufacturers have frustrated the DAA de- 
sire to extend the DAA program and tools to a browser setting. Nonetheless, the 
DAA and its participants today provide meaningful and effective consumer choice 
tools to consumers that with the click of one button provides consumers with the 
exact choice that a browser setting could provide. The DAA is the only system that 
provides an end to end system that captures all data viewing behavior, provides en- 
hanced transparency in the form of an icon, and strong and credible enforcement 
to ensure compliance. The DAA stands committed to work with the Committee, 
these browsers and all organizations that are willing to join our efforts to provide 
meaningful choice while continuing to provide consumers with the Internet offerings 
that they cherish. 

My testimony today will describe the commitment made by the DAA to extend its 
effective choice mechanisms to include browser-based signals, the threat to the 
Internet ecosystem posed by the actions of two browser manufacturers, and how the 
online advertising industry continues to successfully work to give consumers trans- 
parency and easy, uniform, and effective tools to control online data collection. Com- 
panies recognize that consumers have different preferences about online advertising 
and data collection and want to continue to build consumer trust in the online expe- 
rience by ensuring that consumers have meaningful choices about how data is col- 
lected and used 

The DAA appreciates the Committee’s interest in exploring how consumer privacy 
concerns should co-exist with consumers’ desire for innovative products and services. 
Industry self-regulation coupled with consumer education effectively achieves this 
outcome. The DAA standards empower consumers to make choices about online data 
collection and use. Self-regulation is the appropriate approach because it is flexible 
and can adapt to rapid changes in technology and consumer expectations, whereas 
legislation and government regulation, particularly in such a rapidly-developing 
area, can stifle innovation, reduce competition, and add unnecessary costs.^ The 


1 Hearing Notice: A Status Update on the Development of Voluntary Do-Not-Track Standards, 

available at http:! / www.commerce.senate.gov / public I index.cfm?p=Hearings&ContentIiecord 

id=lcf8fbla-fb0b-4bfl-958b-lea3c443a73c. 

2 “FTC Report: Protecting Consumer Privacy in a, Era of Rapid Change — Recommendations 
for Businesses and Policymakers”, at 53 available at http: j lwww.ftc.gov ! os 1 2012 1031 120326 
privacyreport.pdf. 

^See: http:! ! cetucker.scripts.mit.edu ! docs! law summary 2011.pdf. In a congressional hear- 

ing on “Internet Privacy: The Impact and Burden of EU Regulation,” Professor Catherine Tuck- 
er of the MIT Sloan School of Management testified about the effect on advertising performance 
of the European Union’s e-Privacy Directive, which limits the ability of companies to collect and 
use behavioral data to deliver relevant advertising. Professor Tucker’s research study found that 
the e-Privacy Directive was associated with a 65 percent drop in advertising performance, meas- 
ured as the percent of people expressing interest in purchasing an advertised product. The study 
also found that the adverse effect of such regulation was greatest for websites with content that 
did not relate obviously to any commercial product, such as general news websites. Professor 
Tucker cautions: “on the basis of this evidence, it is reasonable to say that privacy regulation 
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business community has a strong incentive to ensure broad, industry wide compli- 
ance with its self-regulatory principles and achieves this goal through the account- 
ability that is built into our Self-Regulatory Program. 

I. DAA’s Commitment to Honor Browser-Based Opt-Out Mechanisms 

For more than two years, the DAA has been offering an effective, one-button 
choice mechanism that empowers consumers to stop the collection of web viewing 
data for by third parties participating in the program. On February 23, 2012, at a 
White House event announcing President Obama’s framework for privacy in the 
21st Century, the Chairman of the Federal Trade Commission, the Secretary of 
Commerce, and White House officials publicly praised and endorsed the DAA’s 
cross-industry initiative. In the words of one White House official, the DAA is “an 
example of the value of industry leadership as a critical part of privacy protection 
going forward.” At this event, the DAA committed to developing a process to honor 
browser settings while providing consumers with the ability to make choices about 
the collection and use of web browsing data. 

A. DAA Commitment to Honor a Users’ Choices Through Browser-Based Tools 

At the February 2012 White House event, the DAA committed to recognize brows- 
er-based header signals as a means of exercising the choices provided under the 
Self-Regulatory Principles. Specifically, at the event, the DAA read the following 
commitment reached with the DOC, FTC, and White House: 

The DAA standard and corresponding enforcement of the standard will be ap- 
plied where a consumer: 

(1) has been provided language that describes to consumers the effect of exer- 
cising such choice including that some data may still be collected and 

(2) has affirmatively chosen to exercise a uniform choice with the browser 
based tool. 

The DAA standard will not apply in instances where (1) and (2) do not occur 
or where any entity or software or technology provider other than the user exer- 
cises such a choice.® 

This framework is tied to an industry-consensus standard known as the Self-Reg- 
ulatory Principles for Multi-Site Data that govern the collection and all uses of web 
viewing, including interest-based advertising.® The framework also recognizes that 
consumers should be educated as to the effect of their choice, in particular they 
should be aware that if they exercise their choice: (1) they will still receive adver- 
tising but that ads may not be relevant to their interest; (2) consistent with the Self- 
Regulatory Principles, web viewing data may still be collected for narrow purposes 
including operational and system management purposes, fraud prevention and secu- 
rity, content delivery, market research, and product development; and (3) that data 
is vital to workings of the Internet ecosystem, and limiting collection can result in 
a reduced online experience. 

The DAA committed to this standard because it provides consumer transparency, 
control, and education concerning the scope and effect of their choice while ensuring 
that a broad range of companies can continue to deliver products and services today 
and to innovate for tomorrow’s marketplace. 

B. Browsers’ Subsequent Actions 

Following the February 2012 White House event, the DAA set out to work toward 
implementing browser-based choice by the end of last year. The DAA efforts were 
short-circuited due to decisions by Microsoft and Mozilla. In particular, contrary to 
the agreement at the White House which Mozilla and Microsoft supported, they uni- 
laterally chose to implement browser-based header signals, that they call “do not 


could have sizable effects for the advertising-supported internet.” Professor Tucker advises that 
“policymaking in the area of privacy regulation needs to be careful and fulfill the twin aims of 
protecting consumer privacy and ensuring that the advertising-supported Internet continues to 
thrive.” 

4 Speech by Danny Weitzner, We Can’t Wait: Obama Administration Calls for A Consumer Pri- 
vacy Bill of Rights for the Digital Age (February 23, 2012), available at http:! /www.white 
house.gov ! blog 12012 1021231 we-ean-t-wait-obama-administration-ealls-consumer-privacy -bill-rig 
hts-digital-age (last visited March 16, 2012). 

®DAA Position on Browser Based Choice Mechanism, available at https:/ 1 www. about 
ads. info / resouree I download ! DAA Commitment.pdf. 

®dAA Self-Regulatory Principles for Multi-Site Data (November 2011), available at http:/ / 
www.aboutads.info / resource I download ! Multi-Site-Data-Principles.pdf. 
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track” signals, in a way inconsistent with the DAA commitment announced with the 
FTC, Department of Commerce, and White House. 

Microsoft released its new version of Internet Explorer 10 (“lElO”) with a “do not 
track” tool turned “on” as a default setting in direct conflict with the commitment 
they supported at the White House that a user — and not the browser manufac- 
turer — choose to exercise the choice mechanism in the browser setting. Machine- 
driven signals with the default on set by Microsoft do not represent user choice. The 
existing Microsoft system further compounds this problem by making it difficult in 
its settings for consumers to change the mandated default “on” setting. The DAA 
believes that a choice that prohibits data collection and use should not be made for 
the consumer by a browser or any other party. Allowing browser manufacturers to 
determine these choices for users limits the information and experience received by 
consumers, and consumers’ ability to enjoy the ad supported Internet provided by 
DAA participants and hundreds of thousands of other websites that consumers 
value. Most importantly, honoring the approach that Microsoft has elected to put 
in its browser was not part of the public commitment at the White House. 

Mozilla has implemented what it refers to as a “do not track” tool in the current 
Firefox release also without following the White House agreement, for example by 
not describing for consumer the impact of their choice and creating inaccurate con- 
sumer expectations. Mozilla’s interface permits users to check a box to “Tell 
websites I do not want to be tracked.” Nothing more is provided to users; for exam- 
ple, consumers are not told that, by exercising such choice some data may still be 
collected. This implementation conflicts with the workable standard developed 
through industry consensus in 2012 and does not provide consumers with clear in- 
formation about the effect of their choices. 

The process for implementing the DAA’s commitment has been further delayed by 
the Worldwide Web Consortium (“W3C”), a technical standard-setting organization 
for web technologies, and its failure to reach any consensus after nearly two years 
of dialogue. Because the W3C is ill-equipped to address such public policy matters, 
its involvement has further complicated and protracted efforts to reach consensus 
on a standard and implementation for choice offered in the browser settings. This 
process is still ongoing and the DAA continues to participate in this forum. 

C. DAA Offers a Universal Choice Mechanism 

These browser implementations conflict with the DAA commitment, and are in- 
consistent with Chairman Rockefeller’s “Do Not Track Online Act” (S. 418). The 
Chairman’s bill calls for a standard by which “an individual can simply and easily 
indicate whether the individual prefers to have personal information collected.”^ 
This bill identifies the type of data subject to the tool and the effect of choice. The 
above-described browser implementations contain no standard for the types of data 
subject to the choice mechanism or the effect of exercising a choice. Without a stand- 
ard governing when a browser-header signal is activated and what it means, a 
website or other entity receiving this signal will not know how to implement it. As 
a result, the signal could be ignored or, worse, treated differently by different signal 
recipients resulting in the consumer receiving no effect from the choice or receiving 
uneven results. This could cause confusion for consumers instead of comfort and se- 
curity. 

In contrast, we believe that the DAA’s current implementation is consistent with 
the Chairman’s bill and the recommendations set forth by the FTC. The DAA Prin- 
ciples, our Self-Regulatory Program, and our consumer choice tool enforced by cred- 
ible accountability programs are the only mechanisms in the marketplace today that 
provide consumers with clear transparency, choice, and understanding about how 
their data will and will not be used. Through more than 1 trillion ad impressions 
served each month with the DAA’s Advertising Option Icon (“DAA Icon”), consumers 
can access the DAA’s universal, easy-to-use choice mechanism via www.about 
ads.info I choices and www.youradchoices.com/control.aspx. This choice tool provides 
consumers with a single button to exercise choice against participating companies, 
either as a group or individually. When a consumer exercises choice — whether 
against all participants or a few — the affected participants stop collecting and using 
web viewing data from the user’s browser for interest-based advertising. Since the 
program’s launch in 2010, more than 23.5 million consumers have visited the DAA 
sites to learn about their advertising data choices, and, last year alone, more than 
a million consumers have taken action via DAA to exercise their choice about how 
advertisers will use their data. 


■'S. 418, “Do Not Track Online Act, 113th Congress. 
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II. Mozilla’s Technology Blocking Tool Could Harm Consumers and the 

Internet 

In an act that is sure to further undercut consumer choice committed to at the 
White House and that will break critical Internet functionality, in February 2013, 
Mozilla announced that it will block cookies set by third parties in the upcoming 
release of its Firefox browser. Mozilla’s decision to block technologies by certain 
types of companies will have a significant adverse impact on the Internet by reduc- 
ing competition and diminishing the consumer’s online experience. 

A. Third Party Cookies are Vital to the Internet Ecosystem 

Today’s Internet is built around the technology of “cookies”. Cookies are small text 
files that websites use to store information in order to make it easier for users to 
utilize and access web pages efficiently. For example, a website might use cookies 
to keep track of items a user has placed in a virtual “shopping cart.” This well-es- 
tablished and very transparent technology enables the delivery of rich content, prod- 
ucts, relevant advertising, and security and fraud prevention services. Recently, 
Mozilla has decided to selectively deny access to this technology, in effect picking 
winners and losers in the Internet ecosystem. The Internet, however, does not dis- 
criminate against technology based on its source. Affiliated companies operating dif- 
ferently branded domains could find their cookies blocked as third parties across 
these different domains. This blocking approach would also hurt a company’s meas- 
ures to provide security measures. Companies often implement security measures 
through third party domains or even their own differently branded domains. Mozilla 
would thwart these security efforts by preventing companies from setting cookies for 
security purposes in these multiple domains. This change harms not only third par- 
ties, but all companies that rely on integrated services, particularly the large num- 
ber of small publishers that rely on service providers to operate and monetize their 
sites. 

The Internet is a complex ecosystem comprised of a diverse set of actors including 
web publishers, content providers, ad networks, anal 3 dics firms, security and fraud 
prevention providers, exchanges, advertisers, plugin providers, and many other ac- 
tors. These entities work seamlessly together to provide content and services to the 
benefit of consumers. Cookies set by third parties play a vital role in this ecosystem 
by facilitating consumer demand for content and services. Cookies are also vital to 
interest-based advertising (“IBA”). IBA provides consumers with a more relevant on- 
line experience by providing information about products and services that more like- 
ly relevant to their. Blocking third-party cookies will prevent third parties from ful- 
filling these roles, in turn disrupting consumer services, lessening online relevancy 
and security, and destroying many Internet business models. 

B. Blocking Third Party Cookies Will Restrict Consumers’ Access to Content and 

Services 

Today, hundreds of thousands of publishers deliver mainstream and niche content 
for free or at low cost. Web publishers rely on third parties to help select, provide, 
and display relevant content to visitors to their publisher sites. On any given 
website, content such as news feeds, weather tools, social plugins, or emergency re- 
sponse and safety information {e.g., Amber alerts) are often provided by a third 
party integrated into the publisher’s site for a seamless appearance and experience 
for the user. Third parties also enhance content quality, providing information rel- 
evant to the browser user’s interests, and securing the user’s safety when browsing 
or shopping on a site. All of these essential services are typically delivered through 
cookie technology. Mozilla’s denial of the use of cookies would prevent third parties 
from providing these services resulting in blocked access to content, and a slower, 
less optimized, and less safe consumer experience online. In order to receive the 
Internet that works effectively and gives consumers the services they are used to 
receiving, it will be time for consumers to change their browser. 

Mozilla’s cookie-blocking approach will lead U.S. consumers down a path where 
a few large companies can control the amount and diversity of content made avail- 
able online. Not that long ago, television was comprised of three networks that se- 
lected and delivered all programing to consumers. Through advances in technology 
and infrastructure, consumers may now access a rich diversity of television content. 
The Internet delivers an even more stunning array of content because of the low 
barriers to entry. Consumers value these choices, and should not have their online 
experience be forced back into a 1970s television construct where a few control the 
content that consumers can access. In short, Mozilla’s actions could significantly 
hurt the Internet, consumer experience and choice to have robust content offerings. 
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C. Blocking Cookies Disadvantages Small Businesses 
Advertising fuels the Internet economic engine. The support provided by online 
advertising is substantial and growing despite the difficult economic times we are 
facing. The online advertising industry is a beacon for innovation and job creation. 
In 2012, Internet advertising revenues reached a new high of $36.6 billion, an im- 
pressive 15 percent higher than 2011’s full-year number.® Because of this adver- 
tising support, small and medium-size publishers can provide consumers with access 
to a wealth of online resources at low or no cost. Revenue from online advertising 
facilitates e-commerce and subsidizes the cost of content and services that con- 
sumers value, such as online newspapers, weather, Do-It-Yourself websites, blogs, 
social networking sites, mobile applications, e-mail, and phone services. According 
to a recent poll by Zogby Analytics, 92 percent of Americans think free content like 
news, weather and blogs is important to the overall value of the Internet.® 

This model delights consumers and creates jobs across America, fostering a com- 
petitive marketplace that drives down prices for consumers and costs for businesses. 
The Internet is a tremendous engine of economic growth. It has become the focus 
and a s 3 unbol of the United States’ famed innovation, ingenuity, inventiveness, and 
entrepreneurial spirit, as well as the venture funding that flows from these enor- 
mously productive and positive efforts. A 2009 study found that more than three 
million Americans in every U.S. state are employed due to the advertising-supported 
Internet, contributing an estimated $300 billion, or approximately 2 percent, to our 
country’s GDP.i® There is employment generated by this Internet activity in every 
single congressional district in every state across the United States.^^ 

Recently, more than 700 small publishers signed an open letter to Mozilla re- 
questing that it reconsider its decision to block third-party cookies. These small 
publishers rely on third party cookies for content delivery as well as the delivery 
of advertising that subsidizes their provision of online services, products, and con- 
tent through their websites. Small-business website publishers that cannot afford to 
employ advertising personnel to sell their advertising space, and may not even be 
on the radar of large brand-name advertising campaigns, can increase their revenue 
by featuring advertising that is more relevant to their users. This is commonly done 
through third-party platforms, often offered on a self-serve basis, that allow pub- 
lishers to add advertising to their sites efficiently and easily. In turn, advertising- 
supported resources help other small businesses to grow. Small businesses can use 
free or low-cost online tools, such as travel booking, long-distance calling, and net- 
working services, to help them run their companies. 

III. DAA Approach Is Successful 

The DAA is a broad-based self-regulatopr program established by the leading ad- 
vertising and marketing industry associations. The program is led by the 4As, AAF, 
ANA, DMA, lAB, and the NAI. "The DAA program unites these major trade associa- 
tions representing thousands of online companies across the full spectrum of adver- 
tising services (including web publishers, advertisers, third-party ad networks, and 
exchanges). The DAA program is based on seven core Self-Regulatory Principles: 
education, transparency, consumer control, data security, controls with respect to 
material changes to policies and practices, heightened safeguards for sensitive data, 
and accountability. The DAA offers several interrelated mechanisms to deliver con- 
sumers enhanced transparency and a ubiquitous and easy-to-use choice mechanism 
as described below. 

A. Consumer Disclosure through the Advertising Option Icon 

The DAA program has developed a universal icon to give consumers transparency 
and control for interest-based ads. The icon provides consumers with notice that in- 
formation about their online interests is being gathered to customize the web ads 
they see. Clicking the icon also allows consumers to choose whether to continue to 
allow this type of advertising. 


® Interactive Advertising Bureau Press Release, “Internet Ad Revenues Again Hit Record- 
Breaking Double-Digit Annual Growth, Reaching Nearly $37 Billion, a 15 percent Increase Over 
2011’s Landmark Numbers” (April 16, 2013) (reporting results of PricewaterhouseCoopers 
study). 

® Interactive Survey of U.S. Adults commissioned by the DAA (April 2013), available at 
http: / / www.aboutads. info / resource ! image / Poll / Zogby _DAA PolLpdf. 

Hamilton Consultants, Inc. with Professors John Deighton and John Quelch, Economic 
Value of the Advertising-Supported Internet Ecosystem, at 4 (June 10, 2009), available at http:! / 
www.iab.net I media I file I Economic-Value-Report.pdf 
i^Id. at 53. 

^^Open Letter to Mozilla, available at http:! / www.iab.net j mozilla petition! . 
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The icon is served over one trillion times each month on or next to Internet dis- 
play ads on websites covered by the program. The DAA reached this milestone with- 
in a short 18 months from program launch. This achievement represents an unprec- 
edented level of industry cooperation and adoption. 

B. Consumer Control 

At the www.aboutads.info website and accessible from the companion www.your 
adchoices.com website, the DAA program makes available a choice mechanism that 
unites the opt-out mechanisms provided by more than 114 different third-party ad- 
vertisers participating in the program. We estimate that the DAA program coverage 
is approaching 100 percent participation of the interest based ads being delivered. 
The choice mechanism offers consumers a “one-click” option to request opt outs from 
all participants or allows a user to make choices about specific companies. Con- 
sumers are directed to aboutads.info not only from icon-based disclosures on or 
around ads, but from other forms of website disclosure. The site also contains other 
educational and informational materials about the DAA program and its partici- 
pants. Since program launch, there have been more than 16 million page views of 
our choice portal. More than a year ago, the DAA also introduced a suite of browser 
plug-ins to help ensure the persistency of these choices. 

In 2012, more than 5.2 million unique users accessed the resources provided at 
www.aboutads.info. Of those visitors, nearly one million unique users have exercised 
choice using the integrated opt out mechanism provided at that site; nearly two mil- 
lion unique visitors have opted out since the program launch. Many users visit the 
website, learn about their choices, and ultimately choose not to opt out. We believe 
that this shows that once consumers understand how online advertising works, 
many prefer to receive relevant ads over irrelevant ads. Research supports this 
proposition. A recent poll of U.S. consumers shows that 68 percent of Americans 
prefer to get at least some Internet ads directed at their interests with 40 percent 
of Americans prefer to get all their ads directed to their interests. 

C. Consumer Education 

The DAA is deeply committed to consumer education. In 2012, the DAA launched 
a dedicated educational site at www.YourAdChoices.com. The site provides easy-to- 
understand messaging and informative videos explaining the choices available to 
consumers, the meaning of the Advertising Option icon, and the benefits they derive 
from online advertising. 

In 2012, companies participating in the DAA program voluntarily donated more 
than four billion impressions to support an educational campaign for www.Your 
AdChoices.com. Since the campaign launch in late January 2012, more than 13.5 
million unique users have visited the site, an average of about one million visitors 
each month. This site also provides access to the DAA’s user choice mechanism. The 
combination of the educational campaign and the ubiquitous availability of the Ad- 
vertising Option Icon have significantly increased consumer usage of the DAA pro- 
gram tools. Indeed, the 5.2 million unique visitors to www.aboutads.info in 2012 are 
more than three times the 2011 figure. 

D. Commitment to Accountability 

For the past 40 years, the advertising industry has distinguished itself through 
its self-regulatory systems for independent oversight of compliance and public re- 
porting of enforcement actions. In keeping with this tradition, a key feature of the 
DAA Self-Regulatory Program is accountability. All of DAA’s Self-Regulatory Prin- 
ciples are backed by the robust enforcement programs administered by the Council 
of Better Business Bureaus (“CBBB”) under the policy guidance of the Advertising 
Self-Regulatory Council (ASRC), and by the DMA under its Guidelines for Ethical 
Business Practice. In addition to the oversight provided by the CBBB and DMA 
compliance programs, the NAI also has a strong compliance program. The NAI com- 
pliance program includes pre-certification reviews, ongoing technical monitoring of 
member companies’ opt-out scripts, annual compliance reviews, mechanisms for ac- 
cepting and investigating complaints alleging non-compliance, and annual reporting. 
The NATs compliance program, like the CBBB and DMA programs, helps members 
to comply with their self-regulatory obligations, and to hold them accountable. 

The CBBB Accountability Program builds on the successful track records of the 
other ASRC programs: the National Advertising Division, operating since 1971; the 
Children’s Advertising Review Unit, operating since 1974; and the Electronic Retail- 


Interactive Survey of U.S. Adults commissioned by the DAA (April 2013), available at 
http:! ! www.aboutads.info/DAA-Zogby-Poll. 

i^NAI 2012 Compliance Report, available at http:/ 1 www.networkadvertising.org 12012 

NAI Compliance Report.pdf. 
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ing Self-Regulation Program, operating since 2004. These programs feature inde- 
pendent monitoring, public reporting of decisions and referral to government agen- 
cies, often to the Federal Trade Commission, of any uncorrected non-compliance. 
They have extremely high voluntary compliance rates. In fact, over 90 percent of 
companies voluntarily adopt the recommendations of these programs. Those compa- 
nies that fail to comply or refuse to participate in the self-regulatory enforcement 
process are referred publicly to the appropriate government agency for further re- 
view. 

The CBBB administers its Interest-Based Advertising Accountability Program 
under the ASRC self-regulatoiy policy guidance and procedures. Because of the 
highly complex, technical and interdependent nature of interest-based advertising, 
the Accountability Program receives a weekly privacy dashboard report based on 
independent data about more than 250 companies’ compliance with various require- 
ments of the Principles. The Accountability Program’s technical staff analyzes these 
data and independently performs further research to determine whether there may 
be a violation of the Principles warranting formal inquiry. Like other ASRC pro- 
grams administered by the CBBB, the CBBB Accountability Program also finds po- 
tential cases through its own staff monitoring and investigation, by analysis of con- 
sumer complaints and reviews of news stories and technical reports from academics 
and advocacy groups. Where there is a potential compliance issue, the CBBB initi- 
ates formal inquiries and works to ensure the company understands the Principles 
and voluntarily implements the requirements of tbe Principles. At the end of the 
process, the CBBB Accountability Program issues a public decision, which details 
the nature of the inquiry, the Accountability Program’s conclusions, any rec- 
ommendations for correction, and includes a statement from the company in ques- 
tion regarding its implementation of the recommendations. A press release is also 
issued. 

The CBBB’s Accountability Program has brought 19 cases since November 2011, 
and has a 100 percent track record of voluntary industry compliance with its rec- 
ommendations. The CBBB Accountability Program has focused its inquiries on the 
key concepts of transparency and choice under the DAA’s Self-Regulatory Principles. 
In its initial round of cases, the Accountability Program investigated whether com- 
panies were correctly and reliably providing consumers with an effective choice 
mechanism. Cases involved defective links to opt-out mechanisms and opt outs that 
failed to meet the OBA Principles’ five-year minimum opt-out period. 

The CBBB Accountability Program’s recent decisions provided companies with 
guidance on a range of important compliance issues involving the DAA’s Trans- 
parency and Consumer Control Principles. For example, in a case in which a newly- 
established company was unaware of the Principles and therefore out of compliance, 
the CBBB Accountability Program made clear that the Principles cover the entire 
advertising ecosystem and that all companies are expected to comply with these re- 
quirements. In other cases, the Accountability Program has demonstrated the flexi- 
bility of self-regulation by applying the Principles to diverse technologies and to 
evolving business models. 

The DMA’s enforcement program likewise builds on a long history of proactive 
and robust self-regulatory oversight. The DMA’s longstanding Guidelines for Ethical 
Business Practice (“Guidelines”) set out comprehensive standards for marketing 
practices, which all DMA members must follow as a condition of membership. The 
DAA Self-Regulatory Principles are incorporated into these Guidelines. 

The DMA’s Committee on Ethical Business Practice examines practices that may 
violate DMA Guidelines. To date, the DMA Guidelines have been applied to hun- 
dreds of marketing cases on a variety of issues such as deception, unfair business 
practices, personal information protection, and online behavioral advertising. In 
order to educate marketing professionals on acceptable marketing practices, a case 
report is regularly issued which summarizes questioned direct marketing pro- 
motions and how cases were administered. The report also is used to educate regu- 
lators and others interested in consumer protection issues about DMA Guidelines 
and how they are implemented. 

The Committee on Ethical Business Practice works with both member and non- 
member companies to gain voluntary cooperation in adhering to the guidelines and 
to increase good business practices for direct marketers. The DMA Corporate Re- 
sponsibility team and Ethics Committee receive matters for review in a number of 
ways: from consumers, member companies, non-members, or, sometimes, consumer 
protection agencies. Complaints are reviewed against the Guidelines and Committee 
members determine how to proceed. If a potential violation is found to exist, the 
company will be contacted and advised on how it can come into full compliance. 

Most companies work with the Committees to cease or change the questioned 
practice. However, if a member company does not cooperate and the Committee be- 
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lieves there are ongoing guidelines violations, the Committee can recommend that 
action be taken by the Board of Directors and can make case results public. Board 
action could include censure, suspension or expulsion from membership, and the 
Board may also make its actions public. If a non-member or a member company 
does not cooperate and the Committees believe violations of law may also have oc- 
curred, the case is referred to Federal and/or state law enforcement authorities for 
their review. 

The CBBB and DMA programs demonstrate the success of self-regulation and its 
many benefits, including the ability for the regulatory apparatus to evolve to meet 
new challenges. Importantly, accountability under the Principles applies to all mem- 
bers of the advertising ecosystem, not merely “members” of the various organiza- 
tions. 

E. Application of Self -Regulatory Principles to Data Collected on Mobile Devices 

Industry self-regulation is especially appropriate for the technology sector because 

it is nimble. The DAA Self-Regulatory Program is adapting over time and we expect 
this evolution to continue with changes in the marketplace driven by technological 
advancements and evolving consumer preferences. Currently, the DAA is finalizing 
new implementation guidance responding to the fact that companies operate across 
a variety of channels including mobile. The guidance will explain how the Self-Regu- 
latory Principles apply to certain data practices that may occur on mobile or other 
devices. 

Stakeholders representing all major elements of the mobile ecosystem participated 
in the development of this guidance. The guidance will clarify that the previously- 
issued Self-Regulatory Principles apply to the mobile web environment. In addition, 
the guidance will explain how the Transparency and Consumer Control Principles 
apply to “Cross-App” data — data collected from a device across non-affiliated appli- 
cations over time. The DAA will build on the success of its existing web-based uni- 
form choice mechanism by working with DAA stakeholders to develop and imple- 
ment, or otherwise specify, a companion choice mechanism for Cross-App Data. This 
new tool will offer consumers an unprecedented level of control over third-party data 
collection across applications on a device. 

The guidance will also ensure Transparency and Consumer Control for both Pre- 
cise Location Data and Personal Directory Data, the term encompassing calendar, 
address book, phone and text logs, or photo and video data created by a consumer 
that is stored on or accessed through a device. Any entity engaged in the collection 
and use of Cross-App Data, Precise Location Data, or Personal Directory Data will 
be subject to the DAA accountability mechanisms. As discussed above, these robust 
accountability mechanisms can, and do, review an entity’s practices regardless of 
whether that company has announced its adherence to the DAA Self-Regulatory 
Principles. 

F. Benefits of Industry Self -Regulation 

The DAA’s commitment to self-regulation has put us at the forefront of new con- 
sumer protection initiatives. The DAA believes that self-regulation is the appro- 
priate approach for addressing the interplay of online privacy and responsible data 
collection and use practices. We appreciate the positive recognition of the White 
House and the Federal Trade Commission for our efforts. Our approach has been 
successful in addressing consumer concerns while ensuring that the U.S. Internet 
economy remains vibrant. Self-regulation provides industry with a nimble way of re- 
sponding to new challenges presented by the evolving Internet ecosystem. For our 
information-driven economy to thrive and continue as an engine of job creation, self- 
regulation led by industry codes of conduct is the ideal way to balance privacy and 
innovation. The DAA is also a global leader in self-regulation. The DAA Program 
has been implemented in close to 30 countries including throughout Europe soon to 
be launched elsewhere. The success means a standard consumer experience and uni- 
versal standards for business operating around the world. 

We believe that our commitment to and success in advancing industry self-regula- 
tion obviates the need for new legislation. We remain concerned that laws and regu- 
lations are inflexible and can quickly become outdated in the face of extraordinarily 
rapidly-evolving technologies. When this occurs, legislation thwarts innovation and 
hinders economic growth and can impede a competitive marketplace that offers a 
full range of choice to consumers. We believe, however, as we have noted that our 
DAA program furthers the goals of the legislation introduced by Chairman Rocke- 
feller, while allowing for the more rapid and flexible response to marketplace devel- 
opments that are so pronounce in the Internet and new media environment. 

The DAA has championed a balanced approach to consumer control that both ac- 
commodates consumers’ privacy expectations and supports the ability of companies 
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to deliver services and continue innovating. This balance is essential to allow con- 
sumers to continue to receive and enjoy the diverse range of websites and services 
subsidized by relevant advertising. 

Industry has invested tens of millions of dollars to develop the DAA program, 
which is one of the most successful and fastest-developing consumer choice systems 
in the world. 

The Chairman. Thank you. 

And now Mr. Justin Brookman, Project on Consumer Privacy. 

STATEMENT OF JUSTIN BROOKMAN, DIRECTOR, CONSUMER 
PRIVACY, CENTER FOR DEMOCRACY & TECHNOLOGY 

Mr. Brookman. Chairman Rockefeller, Ranking Member Thune, 
members of the Committee, thank you very much for the oppor- 
tunity to testify here today. 

I am Director of Consumer Privacy at the Center for Democracy 
and Technology. I am also an editor and a member of the WSC’s 
working group working on Do-Not-Track. 

And this issue of behavioral advertising obviously is one that we 
have wrestled with for over 15 years now. And Chairman, I share 
your frustration that it is one we haven’t gotten right. 

Today, people still don’t understand 

The Chairman. Sir, can you bend that down just — there you go. 

Mr. Brookman. I can. Does that help? 

All right. People don’t understand they are being monitored on- 
line, and users feel less in control and more tracked than ever. I 
think people understand the tradeoff that they can view free con- 
tent online in exchange for seeing ads. What I think they don’t get 
and often would not accept is that they are getting content in ex- 
change for the surveillance of their reading and browsing habits. 

So for a number of years, some privacy advocates argue that we 
should have opt-in consent, opt-in consent for these companies we 
have no relationship with monitoring our activities to build up pro- 
files to service ads. And in response, industry said, no, opt-out is 
good enough. 

And over time, at least here in the U.S., industry won that fight. 
Calls for opt-in permission went unheeded, and legal challenges 
failed. 

But if you are going to have a system based on opt-out rights, 
you need a global opt-out so users can opt out all at once, telling 
all parties on a site, “Hey, leave me alone. Don’t track me.” Users 
cannot reasonably be expected to track down every single company 
that is monitoring them and tell them to stop individually. 

And industry in principle agrees with this, so, as Mr. Mastria de- 
scribed, the DAA has for a couple of years now offered a site you 
can go to, to opt out of behavioral advertising for member compa- 
nies. Unfortunately, the system suffers from a number of funda- 
mental flaws. 

One, it is not universal. The choice only applies to DAA member 
companies. Companies that don’t pay DAA for membership are not 
included and receive no indication that an individual user doesn’t 
want to be tracked. 

It is almost always based on cookies. So when you opt out, DAA 
member companies put tracking cookies in your device. If that gets 
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deleted, your opt-outs go away, and companies don’t know that you 
don’t want to be tracked. 

And the program does not meaningfully address collection and 
retention. Opting out turns off behavioral advertising, but member 
companies can still monitor you and collect data about you for re- 
search or product improvement purposes with no data retention 
limits. 

At the same time, behavioral tracking has expanded dramatically 
in the last couple of years. So sites that used to place one or two 
cookies on your device are now dropping hundreds from dozens 
from different companies. 

A recently released study from Evidon shows the number of 
tracking companies and websites have gone up 53 percent in the 
last year alone. This led one longtime industry insider to conclude 
in an op-ed titled “Suicide by Cookies” self-regulation hadn’t 
worked the way we promised Washington it would. 

And so, it was before this committee 3 years ago that then-Chair- 
man Leibowitz said that users need a reliable, easy to find, per- 
sistent global opt-out like Do-Not-Track. And to their credit, the 
browsers reacted pretty quickly. So, today, all major browsers can 
easily send Do-Not-Track signals. However, the advertising indus- 
try has been less willing to adapt. 

Finally, as you mentioned. Chairman Rockefeller, in February 
2012, four and a half years after advocates first called for Do-Not- 
Track and a year and a half after Chairman Leibowitz called for 
it here, the DAA said it would “begin work” on letting users use 
browser settings to express choice. And at that time, they said, 
“The DAA expects that such functionality will be implemented 
within 9 months.” 

Now it is 14 months later, and only a handful of DAA companies 
are responding to DAA headers at all. Efforts to come up with con- 
sensus meaning of Do-Not-Track in the World Wide Web Consor- 
tium have ground to a standstill, and for over a year now, the 
group has seen no movement on the key issues, such as whether 
cookies can be set when Do-Not-Track is turned on, whether com- 
panies can track for market research when Do-Not-Track is turned 
on, whether and how companies need to de-identify data they get, 
whether ad networks can reject DNT settings from browsers that 
turn on Do-Not-Track by default. 

And data retention. I mean, if, at the end of the day, ad compa- 
nies can still log and retain individual-level data for years and 
years and Do-Not-Track was turned on, what privacy have we real- 
ly achieved? 

But we are not even to that point yet. Mozilla has been sending 
out these signals for over 2 years now for users who go out of their 
way to turn on Do-Not-Track, and a few companies, like Yahoo! 
and BlueTie, treat it as an opt-out. But most just ignore it. 

Google Chrome has a Do-Not-Track setting that meets every pos- 
sible test DAA could want. It is not on by default. There is explana- 
tory text. There is a link for more information. You can’t just do 
it with one click, and companies are ignoring those, too. 

I am personally still hopeful that a compromise can be worked 
out after all this time because if the industry, the advertising in- 
dustry won’t agree to a meaningful standard, the browsers have 



26 


shown they are going to fight back. So Mozilla has moved to dis- 
able cookies, at least in the short term, so that the browsers under- 
stand unfettered data collection and retention isn’t necessary for 
the Net to work. 

After all, Apple’s Safari browser has blocked cookies for years 
and is far more restrictive than a negotiated DNT setting would be, 
and the Web works just fine on Apple devices. So much of the pri- 
vacy debate in this country is focused on just this one narrow issue, 
and for years and years, we haven’t had resolution. 

Ultimately, we really need to fundamentally rework our privacy 
framework in America. Citizens deserve basic privacy rights over 
all commercial collection of data, and they need due process of law 
before Government access. Only then will consumers in this coun- 
try have confidence their privacy is being protected. 

Thank you very much for the opportunity to testify, and I look 
forward to responding to the Senators’ questions. 

[The prepared statement of Mr. Brookman follows:] 

Prepared Statement of Justin Brookman, Director, Consumer Privacy, 
Center for Democracy & Technology 

On behalf of the Center for Democracy & Technology (CDT), I thank you for the 
opportunity to testify today. We applaud the leadership the Chairman has dem- 
onstrated in examining the challenges in developing a consensus Do Not Track 
standard and appreciate the opportunity to address the continued insufficiency of 
self-regulatory consumer privacy protections. 

CDT is a non-profit, public interest organization dedicated to preserving and pro- 
moting openness, innovation, and freedom on the decentralized Internet. I currently 
serve as the Director of CDT’s Consumer Privacy Project. I am also an active partic- 
ipant in the Worldwide Web Consortium’s Tracking Protection Working Group, 
where I serve as editor of the “Tracking Compliance and Scope” specification — the 
document that purports to define what Do Not Track should mean. 

My testimony today will briefly describe the history of online behavioral adver- 
tising and the genesis of the Do Not Track initiative. I will then describe the current 
state of the World Wide Web Consortium’s efforts to create Do Not Track standards 
and the challenges going forward to implement Do Not Track tools successfully. I 
will conclude with my thoughts on the future of Do Not Track, and why I believe 
that this protracted struggle demonstrates the need for the fundamental reform of 
our Nation’s privacy protection framework for commercial and government collection 
and use of personal information. 

The Rise of Behavioral Advertising 

Online behavioral advertising has been a concern for regulators and privacy advo- 
cates for over fifteen years now. Behavioral advertising, or more specifically cross- 
site behavioral advertising, was originally made possible because of two core capa- 
bilities afforded by web browsers: cookies and referer headers. Cookies are small 
bits of code that the operator of a website can store locally on a user’s computer — 
among other things, they can be used as unique IDs so that a website can recognize 
a particular user (or device) when the user returns to a particular website. Origi- 
nally conceived as a means for first-party services to keep remember a user over 
time, soon advertising networks — the companies that websites often use to generate 
ads for them — began to place unique cookies’ on web users’ browsers as well. Be- 
cause web browsers typically identify the referring site when it passes along a web 
request (the “referer header”), advertising networks were informed of the precise 
webpage they served a user a particular advertisement. Combining cookies and 
referer headers together, advertising networks were able to generate detailed logs 
of the various websites they encountered a particular user. 

Eventually, these companies began analyzing this web history to help inform deci- 
sions about which ads to show particular users. When an advertiser has a presence 
on many sites a user may visit, it is able to develop a trail of past web surfing be- 
havior consisting of a list of many individual actions a user has taken online. These 
trails are very unique in the sense that no two people do exactly the same things 
online, so advertisers are able to leverage this very rich, unique view of each user 
to make split-second decisions about what ads to show them that they will have the 
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highest likelihood of noticing and interacting with. In a nutshell, that’s what behav- 
ioral advertising is — utilizing information about previous sites visited by a par- 
ticular user to influence decisions about what ads to show in the future. 

As the behavioral advertising industry took off, many privacy advocates com- 
plained that users did not understand that their cross-site behavior was being 
tracked by companies they had never heard of, and urged that users should have 
to affirmatively consent to the tracking of their web surfing habits. In 2000, a class 
action suit was filed against Doubleclick, a leading behavioral advertising company, 
arguing that the company’s tracking users without consent across websites violated 
the Electronic Communications Privacy Act and the Computer Fraud and Abuse 
Act. At the same time, the Federal Trade Commission investigated DoubleClick’s be- 
havioral advertising practices, and the allegations that Doubleclick intended to at- 
tach real names to behavioral profiles. Eventually, the Doubleclick lawsuit was dis- 
missed,^ and the FTC discontinued its investigation of the company, declining to al- 
lege that the company’s tracking of users without explicit consent violated existing 
law.^ 

However, while advocates’ call for opt-in consent for behavioral tracking went 
unheeded, industry has always acknowledged that users should at least have the 
right to opt out of behavioral advertising.^ Moreover, for years, there has been gen- 
eral recognition that there must to be a global way to opt out of all behavioral 
tracking at once — users cannot reasonably be expected to locate all potential track- 
ing companies and one-by-one opt out of their tracking. Thus, already today, the 
Digital Advertising Alliance (DAA) — the umbrella self-regulatory group consisting of 
the Interactive Advertising Bureau, Network Advertising Initiative, Better Business 
Bureau and others — maintains a site through which users can globally opt out of 
behavioral advertising by its member companies.'^ 

Unfortunately, there are several limitations to industry’s current opt-out struc- 
ture: 

• It only applies to advertisers that are members of the DAA; companies that 
don’t sign up and pay for membership are not included, and receive no indica- 
tion that a user does not want to be tracked. 

• The opt-out is almost always cookie-based. If a user deletes her cookies — or if 
they are routinely deleted by her anti-virus software, as is often the case — the 
opt-out disappears, and companies subsequently have no way of knowing that 
tbe user does not want to be tracked. 

• The opt-out only prevents users from seeing targeted ads, which are based on 
information gathered from tracking. However, it does not prevent tracking 
itself. While the DAA’s Multi-Site Principles in principle agree with the notion 
of collection limitation, in practice, the code’s bases for collection are extremely 
broad, and any justification to understand “consumer preferences and behaviors 
[or] research about consumers, products, or services” could justify individualized 
data collection despite the user’s opting out.® 

• The interface through which users are presented their choices around tracking 
and opting out hoth through the AdChoices icon and on the DAA website are 
confusing.® 

Coupled with the limitations of the industry’s opt-out approach, industry self-reg- 
ulation has failed to grapple with the dramatic expansion of the scope of tracking 
online. Websites that used to embed one or two tracking cookies now embed dozens. 
A Wall Street Journal report found that the top 50 websites placed over 3,000 track- 
ing files on a test computer; lAC Interactive’s Dictionary.com alone placed 223 
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tracking files from a variety of third-party companies^ In the past year alone, the 
number of web tracking tags on websites has gone up 53 percent, nearly half of 
which were embedded not by the first-party publisher, but by ad networks embed- 
ding their own tags to transmit data to still other companies.® Moreover, tracking 
that used to be pseudonymous (profiles tied to a device, but not a name) are increas- 
ingly linked or easily linkable to real world identities.® Last December, for example, 
the Wall Street Journal reported on a company named Dataium that tracked users 
by e-mail address, and sent descriptions of online surfing to offline companies with 
which users had shared that same e-mail address. Industry trade associations 
have failed to adapt to address new business models predicated on expanded and 
more personal tracking. As one long-time industry player summarized recently: 
“Self-regulation hasn’t worked the way we promised Washington it would.” 

The Call for Do Not Track 

Given the longstanding inadequacy of industry self-regulatory control options, in 
October 2007, CDT and other consumer advocacy organizations called on the Fed- 
eral Trade Commission to create a Do Not Track list, similar to the successful “Do 
Not Call” list that allows users to opt out of telemarketing. Under the original for- 
mulation for Do Not Track, online advertisers would have to self-identify to the 
FTC, which would then compile a list of their domains that track consumers. Brows- 
ers that supported Do Not Track would then block any third-party communications 
to domains on the FTC’s block list.^^ Only ad networks that did not use unique 
identifiers to track users around the web would be able to serve advertisements. As 
a result, users who turned on Do Not Track would simply see ads that were not 
specialized for them, since advertisers would not have access to the consumers’ re- 
cent history on the Web to surmise their interests.^® 

Initially, advocates’ call for Do Not Track functionality went nowhere. In July of 
2009, researcher Christopher Soghoian and Mozilla privacy engineer Sid Stamm cre- 
ated a prototype add-on for Firefox, which reformulated Do Not Track as a per- 
sistent HTTP header appended to all web requests. This would give consumers the 
option of sending out a digital signal each time the user visits a website, asking 
companies to stop tracking them from site to site. The Do Not Track header was 
in many ways an improvement over the original concept, as it did not rely on track- 
er self-identification, and did not require a centrally-hosted list of tracking domains. 
However, this approach was offered initially as a proof-of-concept, and was not im- 
plemented into the Mozilla Firefox browser, 

In July 2010, then-FTC Chairman Jon Leibowitz testifying before this Committee 
effectively resurrected the idea of Do Not Track, and called upon browser makers 
and ad networks to work together to implement this technology, The FTC formally 
recommended the development of Do Not Track in its 2010 draft privacy report, Pro- 
teeting Consumer Privaey in an Era of Rapid Change: A Proposed Framework for 
Businesses and Poliey makers 
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In response to Chairman Leibowitz’s call, browser makers moved surprisingly 
quickly to offer Do Not Track features. One week after the draft report was re- 
leased, Microsoft announced that Internet Explorer 9 would include Tracking Pro- 
tection Lists, which give consumers the option to block communications to all third- 
party domains listed on a specific blacklist. This approach mirrored the advocates’ 
original 2007 conception of Do Not Track, which was predicated on blocking tracking 
domains. However, rather than rely on a centralized list of trackers, Microsoft en- 
couraged others to create and publish their own list of trackers for users to 
download. 

The next month, Mozilla announced it would implement the header approach to 
Do Not Track in its Firefox web browser, allowing users to send out a persistent 
header to all websites indicated a preference not to be tracked. Quickly, popular 
support within the privacy community coalesced around the notion that the header 
approach was the most viable way to implement Do Not Track, and within several 
months, all the major browsers offered users a means to append Do Not Track head- 
ers to all web requests. 

Perhaps most significantly, in February of 2012, at a White House event to an- 
nounce President Obama’s proposed comprehensive privacy protection framework, 
the DAA announced that it would begin work to allow users to opt out of behavioral 
advertising using browser based headers. At the time, the DAA stated that it would 
enforce its self-regulatory choice principles when a user had been provided informa- 
tion about “the effect of exercising such a choice,” and when the user had affirma- 
tively chosen to exercise her choice using the browser based header, The DAA 
stated in February of 2012, “The DAA is committed to making such choices work 
for all consumers. . . . The DAA expects that such functionality will be imple- 
mented within nine months.”^® 

Status of Do Not Track Today 

However, despite industry’s commitment from 14 months ago, today, only a hand- 
ful of third-party companies acknowledge and respond to Do Not Track headers in 
any way.^i 

For some time, the delay in implementation was perhaps justified by a lack of 
agreement on what exactly the Do Not Track signal should mean. Much of this de- 
bate has taken place within the Tracking Protection Working Group of the World 
Wide Web Consortium (W3C). W3C is a voluntary web standards setting body made 
up of industry members, privacy advocates, and academic experts; historically they 
have promulgated standards for the Web on a wide range of matters, such as Web 
Design and Applications, Web Architecture, and the Semantic Web.^^ The Tracking 
Protection Working Group was established originally in response to Microsoft’s re- 
quest to standardize Tracking Protection Lists, but was subsequently chartered to 
form a standard for a universal Do Not Track request tool.®® 

However, this delay has become less defensible over time as the Tracking Protec- 
tion Working Group has failed to come to consensus on a number of key issues. For 
well over a year now, the group has effectively stalled on how to address: 

• Cookies: Privacy advocates have ar^ed that parties honoring Do Not Track 
should be prohibited from using cookies or other unique identifiers, which would 
allow those companies to more easily recognize users across websites. In re- 
sponse, industry has argued that cookies should be available for limited pur- 
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poses (such as fraud prevention or ad frequency capping). This has been a point 
of contention within the group from the beginning, and indeed back to the origi- 
nal call for Do Not Track in 2007.^'*^ 

• Market research and product improvement: Apart from the question of what 
data can be collected despite a Do Not Track signals is the question of why data 
may be collected and retained despite a Do Not Track signal. All parties within 
the working group are generally in agreement that some data may be collected 
for basic operational purposes, such as ad delivery, security, frequency capping, 
and accounting. However, some working group participants have sought to 
allow the collection and use of data for broader purposes such as market re- 
search and product improvement. These purposes are certainly legitimate and 
societally worthwhile, hut not necessarily essential to any particular website’s 
functioning, and purposes for which a Do Not Track user might not necessarily 
expect her browsing history to be monitored and retained by third parties with 
which she has no relationship. Though the working group is agreed that re- 
search data could not be used to alter any individual’s experience and will ulti- 
mately be used in the aggregate, it would be collected and retained on an indi- 
vidualized basis for a potentially extensive period of time (up to 53 weeks per 
one recent proposal, and longer in others). At one point, the working group had 
decided to exclude these purposes as a permitted use under the standard, but 
the idea has recently been reintroduced.^® 

• Deidentification: All parties are in agreement that if data has been 
“deidentified,” then it falls outside the scope of Do Not Track. That is, if a set 
of data has been stripped of identifiers and cannot be attributed to a person or 
device. Do Not Track should not apply to the data, and the company may use 
it as it pleases. However, there is debate over how robust deidentification must 
be. Advocates have argued for a test that largely mirrors the FTC’s own test 
for deidentification: (1) you must have a reasonable belief that data could not 
be tied back to an individual or device, (2) you must promise not to try to re- 
identify the data, and (3) anyone you transfer the data to must also promise 
not to reidentify it. Some working group members have pushed back against 
this model, arguing that companies should be allowed to retain the technical 
ability to reidentify data so long as there are institutional controls in place to 
prevent reidentification. Under that approach, companies could continue to col- 
lect behavioral data for research and modeling purposes so long as the company 
had procedures in place to prohibit anyone within the company from singling 
out a particular user or device.^® 

• Browser presentation of Do Not Track options and consequences for non-compli- 
ant browsers: The working group is generally agreed that a Do Not Track signal 
should represent the will of the user — browsers shouldn’t send a Do Not Track 
signal without the user’s understanding and consent. However, there is an open 
question over who should be able to evaluate the validity of a browser’s presen- 
tation of Do Not Track choices to users. Some working group participants have 
argued that third parties should be able to reject Do Not Track signals from 
browsers that they believe do not adequately obtain consent to turn on Do Not 
Track from users. Other working group members have argued that third parties 
claiming compliance with Do Not Track should be required to honor 
syntactically correct signals and not second-guess a user’s state of mind.^'^ 

• Data retention: While all parties recognize the need for some level of data collec- 
tion and retention by third parties when Do Not Track is turned on, there is 
disagreement on how long companies should be permitted to retain such data. 
Some working group members have argued that financial and auditing require- 


24 W3C Tracking Protection Working Group, Tracking Compliance and Scope, No Persistent 
Identifers, http: ! !www. w3.org 1201 1 / tracking-protection I drafts / tracking-compliance.htmlUno- 
persistent-identifiers; CDT, “Consumer Rights and Protections in the Behavioral Advertising Sec- 
tor,” October 31, 2007, https:l /www.cdt.orglprivacyl20071031consumerprotectionsbehavioral 
.pdf 

25 W3C, Tracking Protection Working Group, Tracking Compliance and Scope, Audience Meas- 
urement, http:! / www.w3.org 1 201 1 1 tracking-protection / drafts / tracking-compliance.htmWaudien 
ce-measurement. 

25W3C, Tracking Protection Working Group, Tracking Compliance and Scope, Unlinkability, 
http:! / www.w3.org ! 2011 ! tracking-protection ! drafts ! tracking-compliance.htmWdef-unlinkable. 

2'7W3C, Tracking Protection Working Group, Tracking Compliance and Scope, User Agent 
Compliance, http:! I www.w3.org 12011 1 tracking-protection I drafts I tracking-compliance.htrnlttus 
er-agent-compliance; W3C, Tracking Compliance Working Group, Tracking Compliance and 
Scope, Noncompliant User Agents, http:! I www.w3.org 12011 ! tracking-protection ! drafts ! track- 
ing-compliance. htmWnoncompliant- UA. 



31 


merits dictate that data should (or must) be retained in individualized form for 
up to seven years. Other working group members have stated that such exten- 
sive retention is neither legally or logistically necessary, and that prolonged and 
individualized retention of cross-site data would run counter to a user’s reason- 
able expectations in turning on Do Not Track.^® 

Obviously, many of these issues are inter-dependent. Data retention matters more 
if companies can use unique cookies to log cross-site behavior. Companies may be 
more willing to adopt a robust deidentification standard if they are allowed to collect 
and retain data for market research and product improvement. For a bargain to be 
struck, these issues will all likely need to decided as part of a comprehensive pack- 
age. 

However, to date, most industry working group participants have not been pub- 
licly willing to agree to move much beyond the current DAA principles for users who 
opt out of behavioral advertising, which regulators and advocates have criticized as 
insufficiently robust.^® In some ways, industry proposals are even weaker than the 
rules currently in effect. For example, the DAA code arguably has a stronger defini- 
tion of deidentification than has been proposed as an alternative within the Track- 
ing Protection Working Group. Indeed, the DAA recently appears to have back- 
tracked on the very notion that Do Not Track should even turn off behavioral adver- 
tising — the very purpose for which Do Not Track was originally proposed.®® 

The Future of Do Not Track and Behavioral Advertising 

Industry’s failure to honor Do Not Track signals more than two years after they 
were first incorporated within Mozilla’s Firefox browser is frustrating and per- 
plexing. Despite disagreements over the precise contours of Do Not Track, self-regu- 
latory groups could at least require members to treat Do Not Track as an opt-out 
under the DAA code, as Yahoo! and some other companies do today.®^ Nor has there 
been any particular urgency within W3C (or elsewhere) to define a different stand- 
ard for the treatment of Do Not Track users. Although trade association representa- 
tives have increasingly made chicken-little pronouncements on the effect that Do 
Not Track will have for the web,®® it is important to remember that they have long 
supported industry-wide opt-out rights for consumers online. Do Not Track is merely 
an improvement on industry opt-outs that have not proven sufficiently robust to ad- 
dress user concerns. 

Moreover, it is important to note that Safari users have effectively had Do Not 
Track turned on by default for several years, ever since Apple made the decision 
to prevent third parties from setting cookies. Apple users can readily attest that 
apocalyptic predictions over the effects of Do Not Track have not come true for 
them, and that they enjoy the same wide variety of free Web content as users of 
other browsers, supported by (non-behaviorally targeted) advertisements. 

Despite the lack of progress, CDT remains hopeful that ultimately the working 
group can agree on a strong Do Not Track standard that allows for some basic oper- 
ational collection and retention of user data but limits behavioral retention and use 
to whatever is strictly necessary for the web to function. CDT originally proposed 
such a compromise approach in January 2011 just after the FTC formally called for 
the adoption of Do Not Track.®® In April of 2012, we presented a similar compromise 
suggestion to the Tracking Protection Working Group at a face-to-face meeting in 
Washington, DC. Under our proposal, third parties would be allowed to use unique 
identifiers for narrow operational purposes, but not secondary purposes such as 


®®W3C, Tracking Protection Working Group, Tracking Compliance and Scope, Financial Log- 
ging and Auditing, http:! I www.w3.org 1 2011! tracking-protection I drafts ! tracking-compliance 
.htmWfinancial-logging. 

Federal Trade Commission Report: Protecting Consumer Privacy in an Era of Rapid 
Change: Recommendations For Businesses and Policymakers, March 2012, http: j lwww.ftc.gov ! 
opa 12012 1031 privacy framework. shtm. 

3® E-mail from Rachel Thomas to Tracking Protection Working, October 4, 2012, http: ! ! 
Iists.w3.org / Archives I Public I public-tracking / 2012Oct / 0115.html. 

®^Note however that Yahoo! does not honor Do Not Track requests from Internet Explorer 
10, as the company alleges that the user flow for turning on Do Not Track does not sufficiently 
ensure that the signal represents a user’s informed choice. Yahoo! Policy Blog, Shane Wiley, “In 
Support of a Personalized Experience,” October 22, 2012, http:! ! www.ypolicyblog.com ! 
policyblog 1 2012 j 10 ! 26 ! dnt ! . 

Leslie Harris, “The Bizarre, Belated Assault on Do Not Track,” Huffington Post, October 4, 
2012, http:! i www.huffingtonpost.com i leslie-harris ! the-bizarre-belated-assau b 1935668.html. 

®®CDT, “CDT Releases Draft Definition of ‘Do Not Track,”’ January 31, 2011, https: if 
www.cdt.org / blogs i erica-newland / cdt-releases-draft-definition-“do-Tiot-track”. CDT subsequently 
released a slightly revised version of this definition in April 2012, CDT, “What Does ‘Do Not 
Track’ Mean? A Scoping Proposal from the Center for Democracy & Technology, April 27, 2011 
https : / / www.cdt.org (files / pdfs (2011 0447 DNT v2.pdf. 



32 


market research. We support the robust deidentification standard as articulated by 
the FTC, but could be willing to allow third parties to reject certain Do Not Track 
signals — so long as the rejection is immediately signaled to the browser. However, 
to date, these proposals and other efforts to break the logjam have not gained sig- 
nificant traction. 

One important development since Chairman Leibowitz called for Do Not Track in 
2010 has been a stronger commitment to user privacy on the part of the browser 
makers. For years, browser vendors seemed more intent of preserving the business 
models of behavioral advertising than in satisf 3 dng the demands of their users. How- 
ever, with increased focus on privacy issues by the press and by regulators, browser 
makers have listened to the demands of their clients — that is, their users — and have 
increasingly taken steps to protect users’ privacy. As noted previously, all the major 
browser makers have implemented means for users to turn on Do Not Track and 
send Do Not Track headers to all websites. In June of last year, Microsoft an- 
nounced that it would include Do Not Track options during the install flow for Win- 
dows 8 and Internet Explorer 10 — with the recommended setting set to Do Not 
Track being on.®^ In February, Mozilla announced that it would join Apple in pre- 
venting third parties from setting cookies in its browser.^® 

That browser makers are increasingly competing on privacy and responding to 
user’s sentiments on behavioral advertising 3® is a welcome and important develop- 
ment. For years, privacy advocates have worried that in an arms race between users 
and ad networks, users, who by and large lack the sophistication and technical 
skills of the ad networks, were destined to lose. However, with the browsers increas- 
ingly acting in accordance with the desires of their user base, that result is no 
longer a foregone conclusion. Do Not Track was originally offered as a reasonable 
middle ground to avert an arms race — where ad networks could collect basic oper- 
ational information and still serve (non-targeted) advertisements.®^ If trade associa- 
tions continue to stick their heads in the sand and ignore consumer sentiment about 
their practices (instead of establishing a value proposition to users about behavioral 
advertising’s benefits), moves like Mozilla’s and Apple’s to frustrate cross-site track- 
ing will become the norm, and an inability to set cookies may be the least of their 
concerns. 

Ultimately, the tortured Do Not Track saga is a stark demonstration of why con- 
sumers fundamentally need comprehensive privacy law. Unlike many areas of pri- 
vacy, behavioral advertising has been under considerable regulatory and press scru- 
tiny for over fifteen years (and intense scrutiny for at least the last five), and still 
despite all that effort and attention, practices have not meaningfully corrected and 
aligned with consumer expectations. In order to ensure that adequate consumer pro- 
tections are in place for behavioral advertising — as well as considerably less exam- 
ined industries with as least as extensive privacy implications — consumers deserve 
a strong but flexible horizontal privacy law governing all collection, use, and reten- 
tion of personal information based on the Fair Information Practice Principles. 

Finally, the ever-increasing stores of commercial databases of personal informa- 
tion about each and every one of us provides a compelling reason to revisit law en- 
forcement privacy rules as well. For this reason, CDT has convened the Digital Due 
Process coalition to advocate for the reform of the Electronic Communications Pri- 
vacy Act, to ensure that these databases are only accessed by the government under 
the due process of law.®® Absent meaningful protections on potential government 
abuse, consumers have all the more reason to distrust commercial data collection 
and retention practices. 

Conclusion 

CDT would like to thank Senator Rockefeller and the Committee again for holding 
this important hearing on an issue that Americans are increasingly concerned 
about. We believe that Congress has a critical role to play in ensuring the privacy 


®^Ed Bott, “Microsoft sticks to default Do Not Track settings in IE 10,” ZDNet, August 7, 
2012, http:! / www.zdrwt.com / microsoft-sticks-to-default-do-not-track-settings-in-ie-10-700000228 
91. 

Justin Brookman, CDT blog, “Mozilla Says Enough is Enough,” February 26, 2013, https:/ 1 
www.cdt.org / blogs i justin-hrookman / 2602moziUa-says-enough-etiough. 

Joseph Turow et al., “Americans Reject Tailored Advertising and Three Activities that En- 
able It,” September 29, 2009, http:llpapers.ssrn.comlsol3lpapers.cfm/abstract id=1478214; 

Wendy Davis, “Zogby Poll: Web Users Troubled by Behavioral Advertising,” MediaPost, June 8, 
2010, http:/ 1 www.mediapost.com I publications I article 1 129753 1 #axzz2REncGaSy. 

Leslie Harris, “The Bizarre, Belated Assault on Do Not Track,” Huffington Post, October 4, 
2012, http:/ i www.huffingtonpost.com i leslie-harris ! the-bizarre-belated-assau 6 1935668.html. 

3® Digital Due Process, http:! ldigitaldueprocess.Qrglindex.cfm?objectid=37940370-2551-llDF- 
8E02000C296BA163. 



33 


of consumers, through rigorous oversight of industry practices, and through the long 
overdue enactment of reasonable privacy legislation. CDT looks forward to working 
with the Members of the Committee as they pursue this and other privacy issues 
further. 

The Chairman. Thank you, sir. 

And then, finally, Mr. Adam Thierer, who is Senior Research Fel- 
low at George Mason University. 

STATEMENT OF ADAM THIERER, SENIOR RESEARCH FELLOW, 
MERCATUS CENTER, GEORGE MASON UNIVERSITY 

Mr. Thierer. Thank you, Mr. Chairman and members of the 
Committee, for inviting me here today to comment on the impor- 
tant issues of online privacy policy and data collection. 

My name is Adam Thierer, and I am a Senior Research Fellow 
at the Mercatus Center at George Mason University, where I study 
Internet policy issues in the Mercatus Center’s Technology Policy 
Program. 

My message here today, which is condensed from two recent Law 
Review articles on these issues, boils down to three key points. 
First, no matter how well intentioned, restrictions on data collec- 
tion could negatively impact the competitiveness of America’s dig- 
ital economy, as well as consumer choice. 

Second, it is unwise to place too much faith in any one single sil- 
ver bullet solution to online privacy, including Do-Not-Track, be- 
cause such schemes are often easily evaded or defeated or fail to 
live up to their billing. 

Finally, with those two points in mind, we should look to alter- 
native and had less costly approaches to protecting privacy that 
rely on education, empowerment, and targeted enforcement of ex- 
isting laws. Serious and lasting long-term privacy protection re- 
quires a layered, multifaceted approach incorporating many solu- 
tions. 

Let us begin by being more specific about those costs associated 
with restrictions on data collection because they are important. On- 
line advertising and data collection are the fuel that powers our in- 
formation economy. Privacy-related mandates that curtail the use 
of data to better target adds or services could have several delete- 
rious effects. 

First, data restrictions could raise direct cost to consumers if 
walled gardens and pay walls are erected in response. As Senator 
Heller has already pointed out, something has to pay for all the 
wonderful free sites and services we enjoy today, and that is adver- 
tising and data. 

Second, data restrictions could indirectly cost consumers by di- 
minishing the abundance of content and culture now supported by 
data collection and advertising. In other words, even if prices and 
pay walls don’t go up, overall quality or quantity could suffer if 
data collection is restricted. 

Third, as Senator McCaskill and Senator Thune have already 
pointed out, data restrictions could hurt the competitiveness of do- 
mestic markets. While regulation raises the cost of doing business 
for all players in our economy, those costs will ultimately fall hard- 
est on the small competitors or new start-ups. 
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For example, today’s app economy has given countless small 
innovators a chance to compete on even footing with the biggest 
players. Burdensome data collection restrictions could short-circuit 
the engine that drives that sort of entrepreneurial innovation 
among mom-and-pop companies. 

Fourth, data restrictions could undermine America’s global com- 
petitive advantage in this space. We should ask ourselves how it 
is that America’s Internet sector came to be the envy of the world 
and why it is so hard to name any major Internet company from 
Europe. Our more flexible, light-touch regulatory regime leaves 
more breathing room for competition and innovation compared to 
Europe’s top-down approach. 

Generally speaking, when it comes to privacy protection, there- 
fore, we should avoid placing excessive faith in schemes like Do- 
Not-Track because they ultimately could fail, just as previous 
techno fixes failed to keep pace with fast-moving developments in 
this space. 

Even if Do-Not-Track takes root and some consumers do turn it 
on, many will be incentivized by ad networks and publishers to opt 
right back out into tracking to retain access to the sites and serv- 
ices they desire. In doing so, they may actually end up sharing 
even more information than they do today. Moreover, that may 
drive still greater consolidation since larger players will be in a po- 
sition to grant Internet-wide permissions or exceptions while small- 
er providers cannot. 

In light of these trade-offs, we should subject new data restric- 
tions to strict benefit/cost analysis to ensure we are not imposing 
unnecessary burdens on our data-driven economy. We should si- 
multaneously consider how we might better spend our time and re- 
sources developing a richer mosaic of privacy-enhancing tools and 
educational strategies. 

Luckily, an extensive array of tools and strategies exist today to 
help privacy, and that is made clear by an article that appeared 
just this morning on Lifehacker.com entitled, “The Best Browser 
Extensions That Protect Your Privacy,” which ended with the fol- 
lowing line. “You have some solid options. The tools are at your fin- 
gertips. It has never been easier to take the reins for yourself and 
make the Web an opt-in experience instead of an opt-out one.” 

Meanwhile, Web browsers continue to provide — or experiment 
with different privacy defaults, and while the W3C continues to 
pursue a single Do-Not-Track standard, innovators in the market- 
place have already made private Do-Not-Track tools a reality. It is 
worth noting that almost all of these tools are available free of 
charge to consumers. So no barrier to widespread adoption exists. 

As is the case with online safety concerns, citizens have access 
to many tools and methods to let them protect their privacy as they 
see fit, and evidence suggests they are already doing so. 

Finally, where serious harms are documented, the FTC already 
possesses broad enforcement authority to police unfair and decep- 
tive practices and has recently been using it more aggressively. 
Moreover, State law and class action lawsuits exist as a backstop 
and are often used aggressively following data breaches or privacy 
violations. 
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In closing, if we want America’s digital economy to remain open, 
innovative, and vibrantly competitive, then this sort of flexible bot- 
tom-up approach to privacy protection is the constructive path for- 
ward. 

If our fear is that consumers lack enough information to make 
informed choices about their privacy, then let us work harder to 
educate them while pushing for greater transparency about online 
data collection practices. 

Finally, we should remember that not everyone shares the same 
privacy sensitivities and that citizens also care about other values, 
such as cost, convenience, and choice. Moreover, we must take into 
account the very strong likelihood that citizens will adjust their 
privacy expectations in response to ongoing technological develop- 
ments, just as they have many times before. 

I thank the Committee for inviting me here today, and I would 
be happy to take questions. 

[The prepared statement of Mr. Thierer follows:] 

Prepared Statement of Adam D. Thierer, Senior Research Fellow, 
Mercatus Center, George Mason University 

Mr. Chairman and members of the Committee, thank you for inviting me here 
today to comment on the important issues of online privacy policy and commercial 
data collection. My name is Adam Thierer and I am a senior research fellow at the 
Mercatus Center at George Mason University, where I study Internet policy issues 
in the Mercatus Center’s Technology Policy Program. 

My message here today, condensed from two recent law review articles, ^ boils 
down to three points: 

1. First, no matter how well-intentioned, restrictions on data collection could neg- 
atively impact the competitiveness of America’s digital economy, as well as con- 
sumer choice. 

2. Second, it is unwise to place too much faith in any single, silver-bullet solution 
to privacy, including “Do Not Track,” because such schemes are easily evaded 
or defeated and often fail to live up to their billing. 

3. Finally, with those two points in mind, we should look to alternative and less 
costly approaches to protecting privacy that rely on education, empowerment, 
and targeted enforcement of existing laws. Serious and lasting long-term pri- 
vacy protection requires a layered, multifaceted approach incorporating many 
solutions. 

Trade-offs Associated with Restrictions on Data Collection 

Let’s be more specific about the potential costs of restrictions on data collection. 
Online advertising and data collection are the fuel that powers our information 
economy. Privacy-related mandates that curtail the use of data to better target ads 
or services could have several deleterious effects.^ 

First, data restrictions could raise direct costs for consumers if walled gardens 
and paywalls are erected in response. Something has to pay for all the wonderful 
free sites and services we enjoy today. 

Second, data restrictions could indirectly cost consumers by diminishing the 
abundance of content and culture now supported by data collection and advertising. 


1 Adam Thierer, The Pursuit of Privacy in a World Where Information Control Is Failing, 36 
Harv. J. L. & Pub. Pol. 409 (2013), papers. ssrn.comysol3/papers.cfm?abstract_id=2234680; Adam 
Thierer, A Framework for Benefit-Cost Analysis in Digital Privacy Debates, 20 Geo. Mason 
Univ. L. Rev., (forthcoming. Summer 2013). 

^See generally Adam Thierer & Berin Szoka, The Hidden Benefactor: How Advertising In- 
forms, Educates & Benefits Consumers, Progress & Freedom Foundation, Progress Snapshot, 
Feb. 2010; Berin Szoka & Adam Thierer, Online Advertising & User Privacy: Principles to Guide 
the Debate, Progress & Freedom Foundation, Progress Snapshot, Sept. 2008. 
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In other words, even if prices and paywalls don’t go up, overall quantity or quality 
could suffer if data collection is restricted.^ 

Third, data restrictions could hurt the competitiveness of domestic markets. While 
regulation raises the costs of doing business for all online operators, those costs will 
fall hardest on smaller operators and new start-ups.'^ For example, today’s “app 
economy” has given countless small innovators a chance to compete on even footing 
with the biggest players.^ Burdensome data collection restrictions could short-circuit 
the engine that drives entrepreneurial innovation among mom-and-pop companies 
if ad dollars get consolidated in the hands of only the larger companies that can 
afford to comply with new rules.® 

Fourth, data restrictions could undermine America's global competitive advantage 
in this space. We should ask ourselves how it is that America’s Internet sector came 
to be the envy of the world and why it is so hard to name any major Internet com- 
pany from Europe.'^ Our more flexible, light-touch regulatory regime leaves more 
room for competition and innovation compared to Europe’s top-down regime.® 

Unintended Consequences of Do Not Track 

Generally speaking, when it comes to privacy protection, we should avoid placing 
excessive faith in schemes like Do Not Track because they could fail, just as previous 
techno-fixes failed to keep pace with fast-moving developments in this space. 

[See Appendix I: “Techno-‘Silver-Bullet’ Solutions Don’t Work — Some Case Stud- 
ies.”] 


3 A 2010 study by Howard Beales, the former Director of the Bureau of Consumer Protection 
at the FTC, found that “the price of behaviorally targeted advertising in 2009 was 2.68 times 
the price of run of network advertising.” That increased return on investment is important, 
Beales notes, because it creates “greater utility for consumers from more relevant advertise- 
ments and clear appeal for advertisers from increased ad conversion.” Beales also noted that, 
“a majority of network advertising revenue is spent acquiring inventory from publishers, making 
behavioral targeting an important source of revenue for online content and services providers 
as well as third party ad networks.” Howard Beales, Network Advertising Initiative, The Value 
of Behavioral Targeting, at 1 (March 2010), www.networkadvertising.org ! pdfs ! Beales NAI 
Study.pdf. 

^ “In a setting where first-party advertising is allowable but third-party marketing is not, sub- 
stantial advantages may be created for large incumbent firms,” argue Professors Avi Goldfarb 
and Catherine Tucker. “For example, if a large website or online service were able to use its 
data to market and target advertising, it will be able to continue to improve and hone its adver- 
tising, while new entrants will find it difficult to challenge the incumbent’s predominance by 
compiling other data or collecting their own data.” Avi Goldfarb & Catherine Tucker, Comments 
on Information Privacy and Innovation in the Internet Economy,’ Comments to the U.S. Depart- 
ment of Commerce, Jan. 24, 2011, at 4, http:! j www.ntia.doc.govl comments ! 101214614-0614- 
01 / attachments INTIA comments 201 1 01 24.pdf. 

® “The App Economy now is responsible for roughly 466,000 jobs in the United States, up from 
zero in 2007 when the iPhone was introduced.” Michael Mandel, Where the Jobs Are: The App 
Economy, (TechNet, Feb. 7, 2012) http:! ! www.technet.org ! wp-content ! uploads ! 2012 j 02 ! 
TechNet-App-Economy-Jobs-Study.pdf 

® Apple’s Safari browser already blocks third-party cookies and now Mozilla’s Firefox browser 
will as well. This has led to concerns about how market structure and competition will be im- 
pacted. See: Tim Peterson, The Demise of Third-Party Cookies Could Help Premium Publishers, 
AdWeek, Apr. 15, 2013, http: 1 1 www.adweek.com I news I technology I demise-third-party-cookies- 
could-help-premium-publishers-148573: “First Safari and now Firefox are blocking third-party 
companies from dropping cookies on publishers’ sites to protect users’ privacy. Those moves hurt 
revenues of the smaller publishers that depend on third parties to sell ads. But, paradoxically, 
the winners could be premium publishers and large media companies, especially Facebook and 
Google, who will be able to prop up their proprietary audience data as the ideal alternative. 
Big traditional publishers whose ad revenue has shrunk as readers and advertisers shift online 
could recoup their losses by parlaying their first-party audience data into even higher ad rates”; 
Adam Lehman, Don’t Fear the Cookie Backlash, Digiday, Apr. 17, 2013, http:! Iwww.digi 
day.com I platforms I dont-fear-the-cookie-backlash: “Several people have already pointed out that 
the Mozilla [third-party cookie restriction! change will create even greater advantages for the 
largest players in digital media.” 

'^Goldfarb and Tucker have also found that “after the [European Union’sl Privacy Directive 
was passed [in 20021, advertising effectiveness decreased on average by around 65 percent in 
Europe relative to the rest of the world.” They argue that because regulation decreases ad effec- 
tiveness, “this may change the number and types of businesses sustained by the advertising- 
supporting Internet.” The European Union’s experience makes it clear that regulation of online 
advertising and data collection can affect market structure, competitive rivalry, and the global 
competitiveness of online firms. This could also have antitrust implications that the FTC or 
other agencies would need to take into account when considering new privacy rules. Goldfarb 
& Tucker, Comments on ‘Information Privacy,’ 4. 

® Adam Thierer, A Better, Simpler Narrative for U.S. Privacy Policy, Technology Liberation 
Front, Mar. 19, 2013, http: 1 1 techliberation.com 1 2013 1 03 1 191 a-better-simpler-narrative-for-u-s- 
privacy-policy. 
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Even if Do Not Track takes root and some consumers turn it on, many will be 
incentivized by ad networks or publishers to opt right back in to “tracking” to retain 
access to sites and services they desire.® In doing so, they may end up sharing even 
more information than they do today. Moreover, this may drive still greater con- 
solidation since larger players will be in a position to grant Internet-wide opt-in ex- 
ceptions, while smaller providers cannot.^^ 

Constructive Alternatives to Regulation 

In light of these trade-offs, we should subject new data restrictions to strict benefit- 
cost analysis to ensure that we are not imposing unnecessary burdens on our data- 

driven economy. 

We should simultaneously consider how we might better spend our time and re- 
sources developing a richer mosaic of privacy-enhancing tools and educational strate- 
gies. Luckily, an extensive array of such tools and strategies already exists. 

[See Appendix II: “Digital Self-Help Tools.”] 

Web browser providers continue to experiment with different privacy defaults, 
and while the World Wide Web Consortium (W3C) continues to pursue a single Do 
Not Track standard, innovators in the marketplace have already made private Do 
Not Track tools a reality.^^ 

It is worth noting that almost all of these tools are available free of charge, and 
no barrier to widespread adoption exists.^® As is the case with online safety con- 
cerns, citizens have access to many tools and methods that let them protect their 
privacy as they see fit, and evidence suggests they already actively do so.^® 

Alternative Enforcement Approaches 

Finally, where serious privacy harms are documented, the Federal Trade Commis- 
sion already possesses broad enforcement authority to police unfair and deceptive 


9 Berin Szoka, The Paradox of Privacy Empowerment: The Unintended Consequences of “Do 
Not Track,” Position paper for W3C Workshop: Do Not Track and Beyond Berkeley, California, 
{Nov. 26—27, 2012), http: 1 1 www.w3.org 1 2012 1 dnt-ws I position-papers 1 5.pdf 

^^See Nicklas Lundblad & Betsy Masiello, Opt-in Dystopias, 7:1 SCRIPTed 155, (2010), 
http:! ! www.law.ed.ac.uklahrclscript-edlvol7-lllundblad.asp, noting that as a result of a push 
for stronger-opt-in regimes, “service providers may attempt to maximise data collection in every 
instance that they are forced to use an opt-in framework; once a user consents to data collection, 
why not collect as much as possible? And the increased transaction costs associated with opt- 
in will lead service providers to minimise the number of times they request opt-in consent. In 
combination these two behaviours are likely to lead to an excessive scope for opt-in agreements. 
In turn, users will face more complex decisions as they decide whether or not to participate.” 

Szoka, The Paradox of Privacy Empowerment, 3. 

121 have explained how to conduct such an analysis in my forthcoming article, Adam Thierer, 
A Framework for Benefit-Cost Analysis in Digital Privacy Debates, 20 Geo. Mason Univ. L. 
Rev., (forthcoming. Summer 2013). 

i^They include: ad preference managers, “private browsing” tools, ad-blocking technologies, 
cookie-blockers, web script blockers, encryption and web proxy tools, and reputation protection 
services. 

1^ Megan Geuss, Firefox 22 Will Block Third-Party Cookies, Ars Technica, Feb. 23, 2013, 
http: / / arstechnica.com / business 12013 1021 firefox-22-will-block-third-party-cookies; Alexis 

Santos, Microsoft Sets Do Not Track’ as Default on lElO, Ruffles Feathers, Engadget, June 1, 
2012, http: II www.engadget.com ! 2012 ! 06 ! 01 Ido-not-track-is-default-on-ielO. 

1® Online privacy company Abine offers a “Do Not Track Plus,” which it claims blocks more 
than 600 trackers. See http:! I www.abine.com I dntdetail.php. 

i®The only serious objection to this bottom-up, user empowerment-based approach is that it 
could inconvenience users by making it more difficult to use some sites or slow down their 
browsing experience in some fashion. But it is no more an inconvenience than it is to use paren- 
tal control tools so that your kids won’t see or download objectionable content. 

^"^Adam Thierer, Progress & Freedom Foundation, Parental Controls & Online Child Protec- 
tion: A Survey of Tools, Version 4.0, Summer 2009, http:! I www.pff.org I parentalcontrols. 

i®The Pew Research Center’s Internet & American Life Project has note that 88 percent of 
U.S. adults now own cell phones, and 43 percent say they download cell phone applications or 
“apps” to their phones. When surveyed, 54 percent of those app users said they had decided 
to not install a cell phone app when they discovered how much personal information they would 
need to share in order to use it and 30 percent of them had uninstalled an app that was already 
on their cell phone because they learned it was collecting personal information that they didn’t 
wish to share. “Taken together,” Pew notes, “57 percent of all app users have either uninstalled 
an app over concerns about having to share their personal information, or declined to install 
an app in the first place for similar reasons.” Jan Lauren Boyles, Aaron Smith, and Mary Mad- 
den, Privacy and Data Management on Mobile Devices, (Pew Research Center’s Internet & 
American Life Project, Sept. 5, 2012), http:! ! pewinternet.org ! Reports 120121 Mobile-Privacy 
.aspx. 
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practices and has recently been using it more aggressively. Targeted Federal stat- 
utes already exist to address sensitive issues related to health, financial, and 
children’s privacy.^^ Enforcement alternatives are also available through state 
courts, including torts, ^3 contract law,^^ and state statutes. Class action lawsuit 
activity is also remarkably intense following any major privacy violation or data 

breach.26 

Conclusion 

In closing, if we want America’s digital economy to remain open, innovative, and 
vibrantly competitive, then this flexible, bottom-up approach to privacy protection 
is the constructive path forward. 

If our fear is that consumers lack enough information to make smart privacy 
choices, then let’s work harder to educate them while pushing for greater trans- 
parency about online data collection practices. 

Finally, we should remember that not everyone shares the same privacy sensitivi- 
ties and that citizens also care about other values, such as cost, convenience, and 
choice. 

Moreover, we must also take into account the strong likelihood that citizens will 
adjust their privacy expectations in response to ongoing technological change, just 
as they have many times before.^"^ 

[See Appendix III: “Societal Adaptation, Evolving Cultural Norms & Privacy.”] 

I thank you again for inviting me here today and I would be happy to take any 
questions. 


i^In its March 2012 Protecting Consumer Privacy in an Era of Rapid Change report, the FTC 
noted that, using its Section 5 authority and other powers, the agency has carried out many 
privacy and data security-related actions just since December 2010. See Fed. Trade Comm’n , 
Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Busi- 
nesses AND Policymakers (2012) at ii, http:llftc.govlosl2012l03ll20326privacyreport.pdf 
The FTC brought several other privacy and data security-related cases using its Section 5 pow- 
ers after the 2012 report was released. See: FTC Finalizes Privacy Settlement with Myspace, 
Fed. Trade Comm’n, (Sept. 11, 2012), http:llwww.ftc.govlopal2012l09lmyspace.shtm; FTC 
Halts Computer Spying, Fed. Trade Comm’n, (Sept. 25, 2012), http: j lwww.ftc.gov ! opal 2012 ! 
09 1 designware.shtm; Tracking Software Company Settles FTC Charges That it Deceived Con- 
sumers and Failed to Safeguard Sensitive Data it Collected, Fed. Trade Comm’n, (Oct. 22, 2012), 
http: / / www.fte.gov / opa / 2012 1101 compete, shtm. 

20 See Health Breach Notification Rule (2009), 16 C.F.R. §318.1 (2012). 

2iSee Truth in Lending Act, 15 U.S.C. §§ 1601— 1667(f) (2006); Fair Credit Billing Act, 15 
U.S.C. §§1666-1666(j) (2006); Fair Credit Reporting Act of 1970, 15 U.S.C. §§ 1681-1681(u) 
(2006). 

22 See Children’s Online Privacy Protection Act (COPPA) of 1998, 15 U.S.C. § 6501 (2006). 

23 See Jim Harper, The Privacy Torts: How U.S. State Law Quietly Leads the Way in Privacy 
Protection (2002), http:! I www.privacilla.org I releases I Torts Report.html. 

24 See Jim Harper, Understanding Privacy — and the Real Threats to It, Cato Policy Analysis, 

Aug. 4 2004, at 3, www.cato.org ! pub display.phpipub id=1652: “Contract law, for example, 

allows consumers to enter into enforceable agreements that restrict the sharing of information 
involved in or derived from transactions. Thanks to contract, one person may buy foot powder 
from another and elicit as part of the deal an enforceable promise never to tell another soul 
about the purchase.” 

23 State governments and state attorneys general also continue to advance their own privacy 
policies, and those enforcement efforts are often more stringent than Federal law. Christopher 
Wolf, Targeted Enforcement and Shared Lawmaking Authority as Catalysts for Data Protection, 
at 3 (2010), http: f fwww.justice.gov.il I NR I rdonlyres 1 8D438C53-82C8-4F25-99F8-E3039D40E4E 

4 126451 / Consumer WOLFDataProtectionandPrivacyCommissioners.pdf: “At the state level, 

legislatures have become the proving grounds for new statutory approaches to privacy regula- 
tion. Some of these developments include the enactment of data security breach notification laws 
... as well as highly detailed data security laws, enacted largely in response to data breaches. 
This partnership has resulted in a set of robust standards for the protection of personal data.” 

23 Peter Fleischer, Privacy -litigation: get ready for an avalanche in Europe, Peter Fleischer: 
Privacy? (Oct. 26, 2012), http: f! peterfleischer.hlogspot.com ! 2012 j 10 j privacy-litigation-get-ready 
-for.html?m=l: “Within hours of any newspaper headline (accurate or not) alleging any sort of 
privacy mistake, a race begins among privacy class action lawyers to find a plaintiff and file 
a class action. Most of these class actions are soon dismissed, or settled as nuisance suits, be- 
cause most of them fail to be able to demonstrate any ‘harm’ from the alleged privacy breach. 
But a small percentage of privacy class actions do result in large transfers of money, first and 
foremost to the class action lawyers themselves, which is enough to keep the wheels of the liti- 
gation-machine turning.” 

See Adam Thierer, Technopanics, Threat Inflation, and the Danger of an Information Tech- 
nology Precautionary Principle, 14 Minn. J. L. Sci. & Tech. 309, 364-73, (2013). 
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Appendix I: Techno-“Silver-Bullet” Solutions Don’t Work — Some Case 
Studies 

Seeking a simple solution to a complex problem such as online privacy protection 
is quixotic. In this sense, the Do Not Track falls into a long line of proposed silver- 
bullet or “universal” solutions to complicated technological problems. When it comes 
to such information control efforts, there are not many good examples of simple fixes 
or silver-bullet solutions that have been effective, at least not for very long. 

• Online Pornography: Consider the elusive search for a universal solution to con- 
trolling access to online pornography. The experience of the W3C’s Platform for 
Internet Content Selection (PICS)^® and the Internet Content Rating Associa- 
tion (ICRA)^® is instructive in this regard. Around the turn of the century, 
there was hope that voluntary metadata tagging and content labeling could be 
used to screen objectionable content on the Internet,^® but the sheer volume of 
material to be dealt with made that task almost impossible.®'^ The effort was 
eventually abandoned.®® Of course, the effort did not have a government man- 
date behind it to encourage more widespread adoption, but even if it had, it is 
hard to believe that all pornography or other objectionable content would have 
properly been labeled and screened. 

• Spam: In a similar way, the CAN-SPAM Act ®® aimed to curtail the flow of un- 
solicited e-mail across digital systems, yet failed to do so. Private filtering ef- 
forts have helped stem the flow to some extent, but have not eliminated the 
problem altogether. Royal Pingdom estimates that in 2010, 89.1 percent of all 
e-mails were spam.®"* “Spam pages” are also a growing concern.®® In January 
2011, Blekko, a new search engine provider, created a “Spam Clock” to track 
new spam pages and found one million new spam pages were being created 
every hour.^^ 

• Privacy: Technical silver-bullet solutions have also been tried on the privacy 
front before Do Not Track. The Platform for Privacy Preferences (P3P) is an ear- 
lier W3C project that began in the 1990s and attempted to make the use of pri- 
vacy policies easier for consumers to understand. It sought to do so by encoding 
those privacy policies in a standard machine-readable format. The hope was 
that this would allow sites “to express their privacy practices in a standard for- 
mat that can be retrieved automatically and interpreted easily” by users and 
then allow users “to automate decision-making based on these practices when 
appropriate. Thus users need not read the privacy policies at every site they 
visit.”®® In theory, “such a privacy disclosure format could also allow the FTC 
to automate enforcement of its existing authority to punish unfair or deceptive 
trade practices.”®® Unfortunately, the P3P project has not been successful. Even 
though the process got underway in the mid-1990s and the W3C had a formal 
process in place to guide its development by 1997, the project was suspended 


Frequently Asked Questions (FAQ), World Wide Web Consortium, http:! jwww 
.w3.org/ 2000/ 03 /PICS-FAQ, (last visited Jan. 30, 2013). 

^^AFout ICRA, Family online Safety Inst., http://www.fosi.org/icra, (last visited Jan. 30, 
2013). 

^^See, e.g., Joris Evers, Net labels mean choice, not censorship, PC Advisor, Oct. 23, 2001, 
http: / / www.pcadvisor.co. uk / news / desktop-pc / 1 646 / net-labels-mean-choice-not-censorship / . 

®'See Phil Archer, ICRAfail: A Lesson for the Future 9 (2009), philarcher.org/icra/ 
lCRAfail.pdf: “The problem with a safety system that has a label at one end and a filter at the 
other is that unlabelled sites can only be treated as a single group, i.e., you either block them 
all or allow them all. Since the number of labelled sites was very small, blocking all unlabelled 
sites would effectively shut off most of the Web.” 

®®Family online Safety Inst., http:/ / www.icra.org, (last visited Nov. 30, 2012). 
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Internet 2010 in Numbers, Royal Pingdom, Jan. 12, 2011, http:/ / royal.pingdom.com / 2011 / 
01/ 12 / internet-2010-in-numbers. 

®®Spam pages are “useless pages that contain only a nugget of relevancy to your query and 
are slathered in ads.” Caleb Johnson, Spam Clock Claims 1 Million Spam Pages are Created 
Every Hour, Jan. 10, 2011, SwiTCHED.COM, http://switched.eom/2011/01/10/hlekko-spam- 
clock-l-million-pages-an-hour. 

®®SpamClock, http://www.spamclock.com, (last visited Jan. 30, 2013); see also Danny Sul- 
livan, Blekko Launches Spam Clock To Keep Pressure On Google, Search Engine Land.com, 
Jan. 7, 2011, http://searchengineland.com/hlekko-launches-spam-clock-to-keep-pressure-on-goo 
gle-60634. 

®® W3C, Platform for Privacy Preferences (PSP) Project, http:/ / www.w3.org ! PSP (last accessed 
Apr. 21, 2013). 

®®Adam Thierer & Berin Szoka, The Progress & Freedom Foundation, Chairman Leibowitz’s 
Disconnect on Privacy Regulation & the Future of News at 7, (Jan. 2013), http: // papers 
.ssrn.com/sol3/papers.cfm/abstract id=1619470. 
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in 2007.^® A 2009 survey of privacy technologies by analysts at the UC Berkeley 
School of Information found that “to date, the adoption rate of P3P has been 
fairly low. Our analysis of the top 100 websites for this project revealed that 
only 27 of them provided a PSP policy, and only a subset of those were valid 
according to the PSP standard.” 

Similar problems likely await the Do Not Track mechanism.^^ Also, Do Not Track 
“does not address mobile or app data, nor any data created outside a traditional web 
browser,” notes Michael Fertik, CEO of Reputation.com.^^ “At the same time, the 
growth in technology and understanding can render current solutions inadequate. 
A privacy rule to limit behavioral advertising today might not work in the future 
when more data is available and there are more powerful algorithms to process it,” 
he says.^^ “There is no reliable way of ensuring this technology is being used,” adds 
Sidney Hill of Tech News World. “Ensuring compliance with antitracking rules 
will become even more difficult as more users turn to mobile devices as their pri- 
mary means of connecting to the Web.”^® 

Importantly, Do Not Track would not slow the “arms race” in this arena as some 
have suggested.^® If anything, a Do Not Track mandate will speed up that arms 
race and have many other unintended consequences.'^’^ Complex definitional ques- 
tions also remain unanswered, such as how to define and then limit “tracking’ in 
various contexts.^® 

In sum, in light of the global, borderless nature of online rapid data flows, the 
Do Not Track scheme likely will not be effective.^® The regulatory experience with 
spam, objectionable content, and copyrighted content suggests serious challenges lie 
ahead for top-down regulatory efforts. 

Appendix II: Digital Self-Help Tools/Privacy-Enhancing Technologies 

The market for digital “self-help” tools and privacy enhancing technologies (PET) 
continues to expand rapidly to meet new challenges. These tools can help users 
block or limit various types of advertising and data collection and also ensure a 


^^Lorrie Faith Cranor, Necessary But Not Sufficient: Standardized Mechanisms for Privacy 
Notice and Choice, 10 J. on Telecomm. & High Tech. L. 273, 279-82 (2012). 

Joshua Gomez, Travis Pinnick & Ashkan Soltani, UC Berkeley, School of Information, Know 
Privacy, at 12 (June 1, 2009). 

Steve DelBianco & Braden Cox, NetChoice Reply Comments on Department of Commerce 
Green Paper (Jan. 28, 2011), available at http: U www.ntia.doc.gov ! comments ! 101214614-0614- 
01lcomment.cfm?e=lEA98542-23A4-4822-BECD-143CD23BB5E9, (“It’s a single response to an 
overly-simplified set of choices we encounter on the web.”). 

Michael Fertik, Comments of Reputation.com, Inc. to the U.S. Department of Commerce 
(Jan. 28, 2011), available at http: II www.reputation.com ! blog! 2011 j 01 131 ! reputation-com-com- 
ments-commerce-department-privacy -green-paper. 

^^Id. 

Sidney Hill, Internet Tracking May Not Be Worth the Headaches, Tech News World, Dec. 
29, 2010, http:! / www.teehnewsworld.eom ! story Ilnternet-Tracking-May-Not-Be-Worth-the-Head- 
aches-7 1543.html. 

^^Id. 

‘^^See Rainey Reitman, Mozilla Leads the Way on Do Not Track, Elec. Frontier Fund, 
Jan. 24, 2011, https:! I www.eff.org I deeplinks ! 2011 1 01 1 mozilla-leads-the-way-on-do-not-track: 
“the header-based Do Not Track system appeals because it calls for an armistice in the arms 
race of online tracking”; Christopher Soghoian, What the U.S. government can do to encourage 
Do Not Track, Slight Paranoia, Jan. 27, 2011, http: I lparanoia.dubfire.net 1 2011 101 1 what-us- 
government-can-do-to-encourage.html: “opt out mechanisms . . . [could] finally free us from this 
cycle of arms races, in which advertising networks innovate around the latest browser privacy 
control.” 

^'^“Too often, well-intentioned efforts to regulate technology are far worse than the imagined 
evils they were intended to prevent.” Hal Abelson et al.. Blown to Bits: Your Life, Liberty, and 
Happiness After the Digital Explosion 159 (2008). 

48 Lauren Weinstein, Risks in Mozilla’s Proposed Firefox “Do Not Track” Header Thingy, 
Lauren Weinstein’s Blog (Jan. 24, 2010, 12:09 AM), http: ! I lauren.vortex.com ! archive ! 
000803.html. 

49 “Many behavioral targeting companies are based outside the U.S. — making legislation inef- 
fective,” says Doug Wolfgram, CEO of IntelliProtect, an online privacy management company. 
Tony Bradley, Why Browser Do Not Track’ Features Will Not Work, Computerworld, Feb. 10, 
2011, http:! I news.idg.no I cw I art.cfm?id=ACE91A0E-lA64-6A7 1-CE2572C981C0204A; Daniel 
Castro, Policymakers Should Opt Out of “Do Not Track” 1, 3 (2010), www.itif.org ! files ! 
2010-do-not-track.pdf: “Another problem with Do Not Track is that it does not scale well on the 
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other Internet devices. Besides raising costs for consumers, it is unclear how effective such a 
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more anonymous browsing experience. What follows is a brief inventory of the PETs 
and consumer information already available on the market today: 

• The major online search and advertising providers offer “ad preference man- 
agers” to help users manage their advertising preferences. Google, Microsoft, 
and Yahoo! all offer easy-to-use opt-out tools and educational webpages that 
clearly explain to consumers how digital advertising works.^^ Meanwhile, a rel- 
atively new search engine, DuckDuckGo, offers an alternative search experience 
that blocks data collection altogether.®^ 

• Major browser providers also offer variations of a “private browsing” mode, 
which allows users to turn on a stealth browsing mode to avoid data collection 
and other forms of tracking. This functionality is available as a menu option 
in Microsoft’s Internet Explorer (“InPrivate Browsing”),®® Google’s Chrome (“In- 
cognito”)®® and Mozilla’s Firefox (“Private Browsing”).®'^ Firefox also has many 
add-ons available that provide additional privacy-enhancing functionality.®® 
“With just a little effort,” notes Dennis O’Reilly of CNET News.com, “you can 
set Mozilla Firefox, Microsoft Internet Explorer, and Google Chrome to clear out 
and block the cookies most online ad networks and other Web trackers rely on 
to build their valuable user profiles.” ®® 

• There are also many supplemental tools and add-ons that users can take advan- 
tage of to better protect their privacy online by managing cookies, blocking web 
scripts, and so on. Like the marketplace for parental control technologies, a re- 
markable amount of innovation continues in the market for privacy empower- 
ment tools, so much so that it is impossible to document all of them here. How- 
ever, some of the more notable privacy-enhancing tools and services include: 
Ghostery,®® NoScript,®^ Cookie Monster,®^ Better Privacy,®® Track Me Not,®"^ 
Collusion,®® and the Targeted Advertising Cookie Opt-Out or “TACO”®® (all for 


^^Ads Preferences, Google, http:! I www.google.coml ads! preferences (last visited Jan. 30, 
2013). 

Choices, Microsoft, http: 1 1 choice.live.com I Default. aspx and (last visited Jan. 30, 2013); 
Personalized Advertising, Microsoft, https:! j choice.live.com I AdvertisementChoice j Default 
.aspx. (last visited Jan. 30, 2013). 

^^Ad Interest Manager, Yahoo!, http:! j info.yahoo.com j privacy j us j yahoo j opt out j targeting j 

details.html. (last visited Jan. 30, 2013). 

Privacy, Microsoft, http:! j www.microsoft.comlprivacyldefault.aspx; (last visited Jan. 30, 
2013); Yahoo! Privacy Center, Yahoo!, http:! j info.yahoo.com j privacy jus! yahoo; (last visited 
Jan. 30, 2013); Privacy Policy, Google, http: j j www.google.com j privacy j ads. (last visited Jan. 
30, 2013). 

^‘^Privacy, DuckDuckGo, http:! lduckduckgo.comlprivacy.html. (last visited Jan. 30, 2013); 
see also, Jennifer Valentino-DeVries, Can Search Engines Compete on Privacy^, Wall St. J. Dig- 
its Blog (Jan. 25, 2011, 4:02 PM), http:! j blogs.wsj.com I digits 1 201 1 j 01 1 25 j can-search-engines- 
compete-on-privacy. 

InPrivate Browsing, Microsoft, http: j j windows. microsoft. com jen- US j internet-explorer j 
products i ie-9 i features jin-private (last visited Jan. 30, 2013). 

Incognito mode (browse in private), Google, http:! j www.google.com j support! chrome! bin! 
answer.py?hl=en&answer=95464 (last visited Jan. 30, 2013). 

Private Browsing — Browse the web without saving information about the sites you visit, 
Mozilla, http:! ! support.mozilla.com ! en-US ! kb ! Private%20Browsing (last visited Jan. 30, 
2013). 

Add-Ons, Mozilla, https:! ! addons.mozilla.org ! en-US ! firefox ! tag ! incognito (last visited 
Jan. 30, 2013). 

Dennis O’Reilly, Add ‘do not track’ to Firefox, IE, Google Chrome, CNetNews.com, Dec. 7, 
2010, http:! ! news.cnet.com ! 8301-13880 3-20024815-68.html. 

Ghostery Add-On, Mozilla, https:! ! addons.mozilla.org! en-US! firefox! addon jghostery (last 
visited Jan. 30, 2013). 

®iiVo Script Add-On, Mozilla, https:! ! addons.mozilla.org ! en-US ! firefox ! addon ! noscript 
(last visited Jan. 30, 2013). 

^^Cookie Monster Add-On, Mozilla, https:! jaddons.mozilla.org! en-US! firefox! addon! cookie- 
monster (last visited Jan. 30, 2013). 

BetterPrivacy Add-On, Mozilla, https:! / addons. mozilla. org / en-US / firefox / addon / better 
privacy (last visited Jan. 30, 2013). 

^‘^TrackMeNot Add-On, Mozilla, https:! j addons.mozilla.org j en-US j firefox j addon j trackme 
not (last visited Jan. 30, 2013). 

Collusion Add-On, Mozilla, http:! ! www.mozilla.org j en-US ! collusion (last visited Jan. 30, 
2013). 

Targeted Advertising Cookie Opt-Out (TACO) Add-On, Mozilla, https:! (addons 
.mozilla.org! en-US (firefox (addon! targeted-advertising-cookie-op! (last visited Jan. 30, 2013). 
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Firefox); No More Cookies®"^ (for Internet Explorer); Disconnect (for Chrome);®® 
AdSweep (for Chrome and Opera);®® CCleaner"^® (for PCs); and Flush'll (for 
Mac). New empowerment solutions are constantly turning up.'^^ Many of these 
tools build around the Do Not Track notion and functionality that the FTC has 
been encouraging. For example, Reputation.com’s new “MyPrivacy” service lets 
users remove their information from various sites and helps them create the 
equivalent of a Do Not Track list for over 100 online networks."^® New tools from 
Priveazy and Privacyfix offer similar functionality and allow users to adjust 
privacy settings for several sites and services at once. Finally, online privacy 
company Abine offers a “Do Not Track Plus,” which it claims blocks more than 
600 trackers."^® Abine also sells a “PrivacyWatch” service, which alerts Facebook 
users to privacy policy changes on the site,'^’^ as well as a “DeleteMe” service 
that helps users erase personal information from various other online sites and 
services."^® 

• The success of one particular tool, AdBlockPlus, deserves special mention. 
AdBlockPlus, which lets users blocks advertising on most websites, is the most- 
downloaded add-on for both the Firefox and Chrome web browsers."^® As of Octo- 
ber 2012, roughly 175 million people had downloaded the Adblock Plus add-on 
for the Firefox web browser.®® Incidentally, both Adblock Plus and NoScript, an- 
other of the most popular privacy-enhancing downloads for Firefox, support the 
Do Not Track protocol.®^ 

• Finally, pressured by policymakers and privacy advocates, all three of those 
browser makers (Microsoft,®^ Google,®® and Mozilla®^) have now agreed to in- 
clude some variant of a Do Not Track mechanism or an opt-out registry in their 
browsers to complement the cookie controls they had already offered. Microsoft 
has even decided to turn on Do Not Track by default, although it has been a 
controversial move.®® These developments build on industry-wide efforts by the 
Network Advertising Initiative and the “Self-Regulatory Program for Online Be- 


More Cookies, CNet.com, http: ! I download.cnet.com j No-More-Cookies ! 3000-2144 4- 
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2.0.3-3 1 ?display=en (last visited Jan. 30, 2013). 

"^^CCleaner, Piriform, http:! j www.piriform.com j ccleaner (last visited Jan. 30, 2013). 

"^^Flush, MacUpdate, http:! j www.macupdate.com j app j mac j 32994 j flush (last visited 
Jan. 30, 2013). 
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2013). 
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Privacyfix, https: / / privacy fix.com (last visited Jan. 30, 2013). 
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sumers from Online Tracking, Microsoft IE Blog (Jan. 25, 2011, 2:43 PM), http:/ / 
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Keeping your opt-outs, Google Pub. Pol’y Blog (Jan. 24, 2010, 12:00 PM), http:/ / 
googlepublicpolicy.blogspot.com / 2011 / 01 / keep-your-opt-outs.html. 

Julia Angwin, Web Tool On Firefox To Deter Tracking, Wall St. J., Jan. 24, 2011, 
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Shankland, Mozilla offers do-not-track tool to thwart ads, CNet News Deep Tech, Jan. 24, 

2011, http:/ / news.cnet.com / 8301-30685 3-20029284-264.html. 
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havioral Advertising”®® to make opting out of targeted advertising simpler. The 
resulting Digital Advertising Alliance is a collaboration among the leading trade 
associations in the field, including: American Association of Advertising Agen- 
cies, American Advertising Federation, Association of National Advertisers, Bet- 
ter Business Bureau, Digital Marketing Association, Interactive Advertising Bu- 
reau, and Network Advertising Initiative.®'^ Their program uses an “Advertising 
Option Icon” to highlight a company’s use of targeted advertising and gives con- 
sumers an easy-to-use opt-out option.®® It was accompanied by an educational 
initiative, www.AboutAds.info, which offers consumers information about online 
advertising.®® The independent Council of Better Business Bureaus will enforce 
compliance with the system.®® Self-regulatory efforts such as these have the 
added advantage of being more flexible than government regulation, which 
tends to lock in sub-optimal policies and stifle ongoing innovation. 

Again, this survey only scratches the surface of what is available to privacy-sen- 
sitive web surfers today.®^ Importantly, this inventory does not include the many 
different types of digital security tools that exist today. ®2 

What these tools and efforts illustrate is a well-functioning marketplace that is 
constantly evolving to offer consumers greater control over their privacy without up- 
ending online markets through onerous top-down regulatory schemes. Policymakers 
would be hard-pressed to claim any sort of “market failure” exists when such a ro- 
bust marketplace of empowerment tools exists to serve the needs of privacy-sen- 
sitive web surfers. 

Importantly, it is vital to realize that most consumers will never take advantage 
of these empowerment tools, just as the vast majority of parental control tech- 
nologies go untapped by most families.®® This is due to a number of factors, most 
notably that not every individual or household will have the same needs and values 
as they pertain to either online safety and digital privacy. 

Therefore, the fact that not every individual or household uses empowerment tools 
should not be used as determination of “market failure” or the need for government 
regulation. Nor should the effort or inconvenience associated with using such tools 
be viewed as a market failure. ®'‘ What matters is that these tools exist for those 
who wish to use them, not the actual uptake or usage of those tools or the inconven- 
ience they might pose to daily online activities. 

Government officials can take steps to encourage the use of PETs, but it is even 
more essential that they do not block or discourage their use.®® For example, limita- 
tions on encryption technologies or mandates requiring that web surfers use online 
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age verification or identify authentication technologies would undermine user efforts 
to shield their privacy.®® 

Appendix III: Societal Adaptation, Evolving Cultural Norms & Privacy 

Many technologies or types of media that are originally viewed as culturally offen- 
sive or privacy-invasive very quickly come to be assimilated into our lives, despite 
initial resistance.®'^ A cycle of initial resistance, gradual adaptation, and then even- 
tual assimilation is well-established in the context of popular entertainment.®® For 
example, the emergence of dime novels, comic books, movies, rock-and-roll music, 
video games, and social networking services all lead to “moral panics”®® or 
“technopanics.” 1®® Over time, however, society generally came to accept and then 
even embrace these new forms of media or communications technologies.^®'^ 

The same cycle of resistance, adaptation, and assimilation has played out count- 
less times on the privacy front as well and “after the initial panic, we almost always 
embrace the service that once violated our visceral sense of privacy.” '®® The intro- 
duction and evolution of photography provides a good example of just how rapidly 
privacy norms adjust. The emergence of the camera as a socially disruptive force 
was central to the most important essay ever written on privacy law, Samuel D. 
Warren and Louis D. Brandeis’s famous 1890 Harvard Law Review essay on “The 
Right to Privacy.” '®® Brandeis and Warren claimed “modern enterprise and inven- 
tion have, through invasions upon his privacy, subjected [man] to mental pain and 
distress, far greater than could be inflicted by mere bodily injury.” '®'' In particular, 
“instantaneous photographs and newspaper enterprise have invaded the sacred pre- 
cincts of private and domestic life,” they claimed, “and numerous mechanical devices 
threaten to make good the prediction that ‘what is whispered in the closet shall be 
proclaimed from the house-tops.’” '®® 

The initial revulsion that many citizens felt toward this new technology was a log- 
ical reaction to the way it disrupted well-established social norms.'®® But personal 
norms and cultural attitudes toward cameras and public photography evolved quite 
rapidly. Eventually, cameras became a widely embraced part of the human experi- 
ence and social norms evolved to both accommodate their place in society but also 
scold those who would use them in inappropriate, privacy-invasive ways. 

That same sort of societal adaptation was on display more recently following the 
introduction of Google’s “Gmail” e-mail service in 2004. Gmail was greeted initially 
with hostility by many privacy advocates and some policymakers, some of whom 
wanted the service prohibited or tightly regulated.'®'' A bill was floated in California 
that would have banned the service.'®® Some privacy advocates worried that 
Google’s contextually targeted advertisements, which were based on keywords that 
appeared in their e-mail messages, were tantamount to reading users’ e-mail and 
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constituted a massive privacy violation.^o® Users quickly adapted their privacy ex- 
pectations to accommodate this new service, however, and the service grew rap- 
idly.^^® By the summer of 2012, Google announced that 425 million people were ac- 
tively using Gmail.^i^ 

Sometimes companies push too aggressively against established privacy norms, 
however, and users push back. This was true for Instagram in late 2012. On Decem- 
ber 17, 2012, the popular online photo sharing service, which is owned by Facebook, 
announced changes to its terms of service and privacy policy that would have al- 
lowed it to more easily share user information and even their photographs with 
Facebook and advertisers. Within hours of announcing the changes, Instagram 
found itself embroiled in a consumer and media firestorm.^^^ The uproar also 
“helped a number of [competing] photo-sharing applications garner unprecedented 
amounts of traffic and new users.” One rival called EyeEm reported that daily 
sign-ups had increased a thousand percent by the morning after the Instagram an- 
nouncement.^^^ According to some estimates, Instagram “may have shed nearly a 
quarter of its daily active users in the wake of the debacle.” 

Instagram’s experience serves as an example of how consumers often “vote with 
their feet” and respond to privacy violations by moving to other services, or at least 
threatening to do so unless changes are made by the offending company.^^'^ Just 
three days after announcing those changes, Instagram relented and revised its pri- 
vacy policy. In an apology posted on its corporate blog, Instagram co-founder 
Kevin Systrom noted that “we respect that your photos are your photos. Period.” 
Despite the rapid reversal, a class action lawsuit was filed less than a week later, 
Although experts agreed the lawsuit was unlikely to succeed, such legal threats can 
have a profound impact on current and future corporate behavior.^^i 

These episodes show how, time and time again, humans have proven to be resil- 
ient in the face of rapid technological change by using a variety of adaptation and 
coping mechanisms to gradually assimilate new technologies and business practices 
into their lives. Other times they push back against firms that disrupt establish 
privacy norms and encourage companies to take a more gradual approach to techno- 
logical change. 
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Appendix IV: Why America’s Privacy Regime is Worth Defending: 

A Better, Simpler Narrative for U.S. Privacy Policy 

by Adam Thierer [originally published on the Technology Liberation Front blog, March 19, 2013] 

Last week on his personal blog, Peter Fleischer, Global Privacy Counsel for 
Google, posted an interesting essay titled, “We Need a Better, Simpler Narrative of 
U.S. Privacy Laws.” Fleischer says that Europe has done a better job marketing 
its privacy regime to the world than the United States and argues that “the U.S. 
has to figure out how to explain its privacy laws on the global stage” since “Europe 
is convincing many countries around the world to implement privacy laws that fol- 
low the European model.” He notes that “in the last year alone, a dozen countries 
in Latin America and Asia have adopted euro-style privacy laws [while] not a single 
country, anywhere, has followed the U.S. model.” Fleischer argues that this has 
ramifications for long-term trade policy and global Internet regulation more gen- 
erally. 

I found this essay very interesting because I deal with some of these issues in 
my latest law review article, “The Pursuit of Privacy in a World Where Information 
Control is Failing.” ^^^4 article, I suggest that the United States does have a 

unique privacy regime and it is one that is very similar in character to the regime 
that governs online child safety issues. Whether we are talking about online safety 
or digital privacy, the defining characteristics of the U.S. regime are that it is bot- 
tom-up, evolutionary, education-based, empowerment-focused, and resiliency-cen- 
tered. It focuses on responding to safety and privacy harms after exhausting other 
alternatives, including market responses and the evolution of societal norms. 

The EU regime, by contrast, is more top-down in character and takes a more stat- 
ic, inflexible view of privacy rights. It tries to impose a one-size-fits-all model on a 
diverse citizenry and it attempts to do so through heavy-handed data directives and 
ongoing “agency threats.” It is a regime that makes more sweeping pronouncements 
about rights and harms and generally recommends a “precautionary principle” 
approach to technological change in which digital innovation is more 
“permissioned.” 

Put simply, the U.S. regime is reactive in character while the EU regime is more 
preemptive. The U.S. system focuses on responding to safety and privacy problems 
using a more diverse toolbox of solutions, some of which are governmental in char- 
acter while others are based on evolving social and market norms and responses. 
To be clear, law does enter the picture here in the United States, but it does so in 
a very different way than it does in the European Union. Fleischer actually explains 
that point quite nicely in his essay: 

What is the U.S. model? People in the privacy profession know that the U.S. 
has a dense “patchwork” model of privacy laws: every individual U.S. State has 
numerous privacy laws, the Federal government has numerous sectoral laws, 
and numerous other “non-privacy” laws, like consumer protection laws, are reg- 
ularly invoked in privacy matters. Regulators in many corners of government, 
ranging from State attorneys general, to the Federal Trade Commission, and ar- 
mies of class action lawyers inspect every privacy issue for possible actions. 

Indeed, in my new law review article, I summarize the litany of cases the FTC 
has brought recently on the data security and privacy front using its authority 
under Section 5 of the Federal Trade Commission Act to police “unfair and decep- 
tive” practices. State AGs are active on this front as well, and there is plenty of 
class action activity every time there’s a privacy or data security screw-up. 

Meanwhile, public officials continue to work collaboratively with privacy advo- 
cates, corporations, and educators to develop better education and awareness-build- 
ing efforts, including “best practices” on safety, security, and privacy issues. 

For more details on this U.S. model, please consult pages 436^54 of my article, 
in which I provide a comprehensive overview of what I refer to as America’s “3- 
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E Approach” to dealing with online safety and digital privacy concerns. The “3-Es” 
refer to education, empowerment, and targeted enforcement of existing legal stand- 
ards. As I note in the article: 

[America’s “3-E Approach”] does not imagine it is possible to craft a single, uni- 
versal solution to online safety or privacy concerns. It aims instead to create 
a flexible framework that can help individuals cope with a world of rapidly 
evolving technological change and constantly shifting social and market norms 
as they pertain to information sharing, 

But what frustrates Fleischer is that the U.S model still doesn’t translate into a 
simple narrative for international audiences: 

How on earth do you explain U.S. privacy laws to an international audience? 
How do you explain the role of class action litigation to people in countries 
where it doesn’t even exist? The U.S. privacy law narrative is convoluted. That’s 
a pity, since almost all of the global privacy professionals with whom I’ve dis- 
cussed this issue agree with me that the sum of all the individual parts of U.S. 
privacy laws amounts to a robust legal framework to protect privacy. (I didn’t 
say “perfect”, since laws never are, and I’m not grading them either.) By con- 
trast, Europe’s privacy narrative is simple and appealing. Its laws are very gen- 
eral, aspirational, horizontal and concise. Critics could say they’re also inevi- 
tably vague, as any high-level law would have to be. But, like the U.S. Bill of 
Rights, they have a sort of simple and profound universality that has inspired 
people around the world. And they are enforced (at least, on paper) by a single, 
identifiable, specialist regulator, 

I understand the frustration Fleischer is expressing here regarding how to frame 
the U.S. model for broader audiences. But the crucial point here is that, as he cor- 
rectly notes, “the sum of all the individual parts of U.S. privacy laws amounts to 
a robust legal framework to protect privacy,” even if it is the case that we will never 
achieve anything near perfection when it comes to online privacy (or online safety 
for that matter). But it is unfortunate that Fleischer ignores the many other moving 
pieces at work here that are important to the U.S. system, especially the diverse 
array of educational and awareness-building efforts, as well as the astonishing array 
of empowerment tools that currently exist to help user protect their privacy to the 
degree they desire. 

Of course, it should also be obvious that the U.S. regime is never going to appeal 
to a global audience as much as Europe’s privacy regime for the same reason that 
many other U.S. policy regimes don’t appeal to certain countries or their leaders: 
our systems aren’t regulatory enough in character for them! But while those top- 
down, centralized, preemptive regulatory regimes will almost always be more “aspi- 
rational, horizontal and concise” — and, therefore, have greater appeal to activist- 
minded lawmakers and regulators — that also means those regimes will likely leave 
less breathing room for social evolution (Le., evolving norms about safety and pri- 
vacy) and economic innovation (new digital goods and services that potentially dis- 
rupt those regulatory expectations). That has real consequences for long-term 
growth and overall consumer welfare. 

Regardless, to the extent we need “a better, simpler narrative for U.S. privacy pol- 
icy” as Fleischer suggests, I believe we can boil it down to a few words: bottom-up, 
evolutionary, flexible, and reactive. What this means for public policy is clear: We 
need diverse tools and solutions for a diverse citizenry, while leaving plenty of 
breathing room for ongoing innovation and the evolution of social norms and market 
responses. Whether it’s online safety or distal privacy, public policy should take into 
account the extraordinary diversity of citizen needs and tastes and leave the ulti- 
mate decision about acceptable online content and interactions to them. We should 
look to educate and empower citizens so that they can make decisions about their 
online safety and privacy for themselves so that policymakers are not constantly try- 
ing to make decisions on their behalf. 

This is a model worth defending, even if it is sometimes hard to delineate its con- 
tours. Please read my Harvard Journal of Law & Public Policy article for a fuller 
exploration of that model and a defense of it. 

The Chairman. And I will have one in just a moment. 

This is to each witness to answer briefly. The online advertising 
industry, as has been pointed out, stood at the White House last 
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February and made a promise to honor Do-Not-Track requests from 
consumers by the end of the year. And yet, as I sit here today, 
these promises have been broken. 

Do-Not-Track is still just an idea, not a reality, and I have heard 
a lot of finger pointing in the press. So my question is, but now I 
have you all here, and I would like each of you to tell me what ex- 
actly is the hold-up. Can you come to the table at the W3C and 
make good on your word to implement Do-Not-Track? 

Starting with you, Mr. Anderson. 

Mr. Anderson. Thank you. Chairman. 

Yes, we will come to the table and make good on our commit- 
ment to honor Do-Not-Track. We have. 

The DAA said some things just now that I think are actually spe- 
cious. The notion that they can’t implement Do-Not-Track because 
Firefox announced that it was going to explore, test third-party 
cookie blocking is — is just — it is offensive, actually. 

The DAA already was not responding to Do-Not-Track. When IE 
announced that they were going to turn Do-Not-Track on by de- 
fault, they told their members don’t respond to it. We are not doing 
Do-Not-Track. That was last year. Last year. 

This just happened. The third-party cookie thing was in Feb- 
ruary. And no, we didn’t say — it hasn’t happened. We said we were 
going to test it. I have spent days meeting with members, DAA 
members, members of the ad ecosystem to understand how third- 
party cookie blocking would affect them. 

By the way, what they have told us is some say, depending on 
where they are in the industry, they will have different answers. 
Most have said they think the impact would be negligible. Some, 
who rely on it purely like the retargeting folks — retargeting, which 
is different than BT, behavior targeting — are extremely concerned. 

There is also the sentiment, at least among publishers and many 
of the ad ecosystem people, that behavioral targeting, the effective- 
ness itself is questionable. This is not to say that they don’t get 
more money for it, but whether it is actually effective, it is unclear. 
At least from that sector, that is what they have told us. 

So you could speak directly when I am done. So, anyway, that 
is the answer to my question — to your question. 

The Chairman. Very good. Please. 

Mr. Mastria. Senator Rockefeller, thank you. 

We stand — we sit here today ready to sit and work through the 
agreement that we made with the White House. So we encourage — 
as we did in our testimony, we encourage Microsoft, Mozilla, FTC, 
all the other parties, to sit with us and work through that for a 
standard that would meet those conditions. 

But let me go back to something you mentioned at your opening, 
if I might? 

The Chairman. Could you go back to answering my question? 

Mr. Mastria. I thought that was your question. Senator. 

The Chairman. Why isn’t it working? 

Mr. Mastria. That, in fact, we stand ready today to work toward 
the implementation of the White House agreement for Do-Not- 
Track. 

The Chairman. Go ahead. 
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Mr. Mastria. I would like to go back to a point that you raised, 
which was that consumers should make that choice. We agree. We 
wholeheartedly agree. 

What is happening with Mozilla and with Microsoft is that the 
browsers are making that choice, not the consumer. And that is a 
completely different dynamic. 

Perhaps there are competitive reasons. Perhaps there are other 
reasons. We don’t know. But we know for sure one thing, that user 
choice is not being satisfied, and that is something that we — we de- 
liver on, we promised to deliver on, and we do on — on a routine 
basis every single day. 

And so, the other point that Mr. Anderson raised that interest- 
based advertising is somehow some sort of fringe or immaterial 
thing, I would submit that 2X publishers are willing to pay twice 
as much for interest-based advertising, and consumers click 
through those ads twice as often, which means that they find it 
twice as convenient, twice as relevant, speaks volume for how inno- 
vative the product is. 

The fact is that there may be other reasons why companies 
choose to invest in different parts of privacy, but that is not what 
is going on here. We are the ones who are delivering consumer 
choice day in and day out. What is being delivered by the browsers 
right now is not consumer choice. In fact, it is browser choice. 

The Chairman. Mr. Brookman? 

Mr. Brookman. I think it is a good question. I can’t answer why 
they haven’t turned it on or responded to it. 

As I mentioned during my testimony, Google Chrome’s Do-Not- 
Track implementation meets every test they could possibly want. 
Those signals are going out from users who go out of their way to 
find that setting and turn it on. Industry is not responding. 

Apple Safari, you have to go out of your way to turn it on. Indus- 
try is not responding. There is nothing in the White House agree- 
ment about cookies. Apple hasn’t allowed cookies for 10 years. So 
I am not entirely sure how that is relevant. 

CDT has proposed a reasonable middle ground going forward. 
Back in January 2011, we have consistently tried to bring both 
sides to the table to agree. I think it is in industry’s interest to 
agree because if they keep taking a hard line in the sand, it won’t 
be cookies being blocked. It is going to be ads being blocked, and 
that is the kind of tools Adam was talking about. 

Those aren’t Do-Not-Track tools. They are ad-blocking tools, 
which I think are a bad way to go for everybody. 

Mr. Thierer. So, Senator, to answer your question, I think there 
are many reasons why this process has slowed down, but I think 
one of them is a simple truism that setting technical standards is 
really hard. And what W3C is doing here is trying to negotiate 
something for a very complex and fast-evolving ecosystem. 

I should point out as well, as I pointed out in an appendix to my 
testimony, we have sort of been here before with the W3C. W3C 
has instituted the Platform for Internet Content Selection, or PICS, 
for online objectionable content. It also tried on privacy — a Plat- 
form for Privacy Preferences, or P3P. 

These are both good faith efforts to deal with serious issues of 
online child safety content, privacy issues. Ultimately, they did not 
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work so well. And this is what leads to my skepticism about trying 
to use these sort of technical silver bullet schemes, as I call them, 
to solve these complex problems, as opposed to a multilayered ap- 
proach to get at the issue. 

The Chairman. Senator Thune? 

Senator Thune. Thank you, Mr. Chairman. 

I would direct this to all the witnesses and just ask a general 
question, and that is do you believe that a multi-stakeholder proc- 
ess, whether it is the ongoing W3C effort, which has been discussed 
at some length, or a future effort, is a better way to reach an en- 
during and broad solution than a regulatory approach that would 
be — come down mandated from the Government? 

Mr. Anderson. Go ahead, Justin. 

Mr. Brookman. So we have heard a lot about this. I mean, it is 
like the approach that we like is a basic comprehensive privacy law 
that allows for safe harbor programs like a self-regulatory model 
like DAA, like a multi-stakeholder approach that gets together and 
comes up with a code and says, hey, for our industry, if we do this 
negotiated code, does that mean we are in compliance with existing 
law? 

I think that is the model that we have advocated. We have seen 
it proposed in President Obama’s consumer privacy bill of rights. 
We have seen it in other legislation. I think that is a good way to 
get people into the room to agree to reasonable standards. 

Without a baseline of saying you have to respect users’ privacy, 
there is not enough incentive, I think, for any individual company 
to take the right steps in a lot of cases. 

Mr. Mastria. So I would submit that we run a self-regulatory 
program. Our program provides meaningful consumer choice every 
single day. Consumers do take advantage of it. It is in prime real 
estate. We made sure of that. 

And so, I think that our program is far superior, much more nim- 
ble than any regulatory mandate. Even today, as we speak, we are 
getting ready to launch what would be the guiding principles for 
data collection inside the mobile and applications environment. 
That is a huge leap forward. 

And that is on top of already producing two codes of conduct and 
multiple technologies to help consumers manage their online pri- 
vacy. We think that we are more nimble, but we don’t take a 
stance on regulation or legislation. 

Senator Thune. There is another question. This, again, can be 
open and whoever would care to answer this. 

But are there specific and identifiable harms being witnessed in 
the marketplace today because of behavioral and interest-based ad- 
vertising? 

Mr. Thierer. Privacy is an highly subjective condition. Senator, 
and obviously, people have different feelings about it, the same way 
they do about what is optimal safety or security. So it is tricky. 

But to the extent that there are actual harms that can be identi- 
fied, we have many remedies that exist, as I noted in my testi- 
mony, whether they be FTC remedies, unfair and deceptive prac- 
tices, targeted laws dealing with very sensitive privacy issues, such 
as health, financial, or children issues. And then we also have 
State laws as a backdrop, along with class action activity. 
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Where there are harms, they are pursued. The FTC has been in- 
credibly aggressive in recent years and has addressed these things 
with consent decrees with some of the biggest players in the online 
economy, which sends a pretty powerful message to other players, 
I believe. 

But for the most part when people talk about these harms, they 
usually say things like online advertising or targeted advertising is 
“creepy.” But it is hard for me to find a real harm with creepiness. 
I think a lot of my neighbors are creepy, but I don’t think they are 
harmful. 

So I would say that we need to identify more concrete harm than 
creepiness. And we also need to acknowledge the benefits on the 
other side of that equation. 

Mr. Mastria. I would submit — oh, was that just 

Senator Thune. No, go ahead. So, hopefully, his neighbors aren’t 
watching this. 

[Laughter.] 

Mr. Mastria. Senators, I have been at FTC hearings and work- 
shops where this very issue was addressed, and I have heard staff 
ask many times, “Where is the harm?” And there hasn’t been any 
that has been demonstrated. 

As Adam suggested, there have been issues of creepiness. And to 
be sure, that there are folks who would like to have control over 
their privacy experience online, and that is what we built our tools 
for, and that is what we see. We see the same kind of response to 
those tools that we — that the industry has seen in preference man- 
agement tools for a decade. 

A lot of consumers come to the tool. Just knowing that the tool 
is available oftentimes makes the consumer feel comfortable. But 
if there is a consumer who feels that much more dedicated to exer- 
cising a choice, the tool is there, and 2 million folks, nearly 2 mil- 
lion folks with us have, in fact, exercised that choice. 

So I think that that is really the answer to the question. I think 
from our perspective, as we talk to consumers, when we asked 
them about what is top of mind in terms of privacy for them, what 
we hear is viruses, malware, identity theft. Interest-based adver- 
tising is not the top of that list. 

Mr. Anderson. Senator Thune, if I could just — I think you are 
asking the right question about the harm. It is tough because the 
harm in this case potentially is if you undermine confidence in the 
ecosystem, then people don’t engage and participate. 

And we saw that with online commerce initially. Remember, peo- 
ple were afraid to put their credit cards on the Web, and that real- 
ly held back commerce at first until people started to rely on the 
notion of encryption. Whether they knew what it meant or not ex- 
actly or how it worked, they gained more trust. And now we see 
a booming online commerce, actual transactions online. 

But there is something else here that we have talked about 
choice. It really helps people. The 45 million people on Firefox that 
I talked about that have turned on Do-Not-Track, we didn’t set 
that. The users went into the preference and set turn Do-Not-Track 
on themselves. 

So that is 45 million people pored through the menus to turn 
that on at 17 percent rate of our user base in the U.S. 
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Mr. Brookman. I think this is really more about consumer choice 
and consumer preferences rather than harm. I mean, if a couple 
walks into a restaurant and says, “Hey, can I have a private 
booth?” The maitre d’ doesn’t turn around and shout, “What is the 
harm?” They try to accommodate them. They try to them out. They 
say, “Yes, OK, you are my customer. I want to help you out.” 

That is what I think the browsers are doing here. They have 
heard over and over and over from consumers again that they don’t 
like this. You can judge them for not thinking through the harm 
very well, but they have made a statement, and they want privacy 
protection in browsers. 

And so, we are seeing the browsers respond to that either by 
turning off cookies. Some of them offering ad block add-ons. Or 
what we are trying to do is have a middle ground approach of Do- 
Not-Track, which is a signal to the company saying, “Hey, you can 
still get some information about me, but don’t retain it, don’t build 
a profile about me.” 

And that way, I get the advertising, but I don’t get you knowing 
a whole lot about me. That is what we are trying to achieve here. 
And I think that is what Do-Not-Track is supposed to do. 

Mr. Mastria. If I may answer one question on the point that Mr. 
Anderson raised regarding track 

The Chairman. I am sorry. Your time is up. The Senator’s time 
is up. 

You have talked a good deal. The Senator’s time is up. I want 
to go on to Senator Heller. 

Senator Heller. Senator McCaskill? 

The Chairman. She looks nervous. 

Senator McCaskill. I don’t know what to say. 

The Chairman. Senator McCaskill? 

Senator McCaskill. You may go first. 

Senator Heller. It is fine. It is fine. 

Senator McCaskill. We are going to get along very well on our 
subcommittee, Mr. Chairman. 

The Chairman. This is according to who got here first. 

Senator McCaskill. Oh, OK. Well, go ahead. I am staying so 

Senator Heller. I am happy to move forward. Thank you, Mr. 
Chairman. Thanks for giving me a couple minutes. 

And I want to thank again for those who are testifying, for being 
here today and taking time out of a busy schedule. 

Mr. Brookman, I have some specific questions. Some of the 
things I understand, if I go online and I purchase an item, I know 
I am going to be tracked. I know that. 

After today’s vote, I guess, on the Senate floor, I am also going 
to be taxed. But that is a different discussion for another time. 

I also know that third-party advertising companies puts cookies 
on my computer. I know that. Let me ask you, do you believe that 
the general public understands this? 

Mr. Brookman. I don’t. I think the ad industry has done a noble 
job in trying to move forward with the icon project to put some no- 
tice on all the ads that you can click through and get information. 

Unfortunately, as I have gone around and talked at events where 
people come and want to hear about privacy, very, very, very few 
understand what that is or have interacted with it or know what 
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is going on. Talking with people outside of my industry when I de- 
scribe what online behavioral advertising is, they say, “What?” 

I think as targeting is getting better, I think people are starting 
to see very targeted ads. So they are seeing more and more retar- 
geting. So when my wife looks for shoes online, as I am surfing 
later, those shoes follow me around the Internet. 

I went to the Venetian site once, and the Venetian followed me 
around for 6 months. And so, I think people are starting to become 
aware something is happening, but I don’t think they understand 
how it works. 

And you see polls after poll after poll is when it is described to 
them, a lot of them don’t like it. I just want to give them some 
choice around it. 

Senator Heller. Yes, if you have follow-up? 

Mr. Mastria. Yes, specific to the polls. So we asked consumers 
not in any inflammatory terms, we asked them simply what is your 
preferred online experience? How do you like getting free content? 
What do you like about advertising? 

And you know what we heard back? What we heard back is that 
the preferred online experience is free content with relevant adver- 
tising. Consumers acknowledge that they are going to get adver- 
tising. It might as well be for something that they are interested 
in. 

I don’t like to golf particularly, but I do like to bike ride. Why 
not, it would make a lot more sense for me to get that bicycling 
ad. 

I want to make one last point about the point that Mr. Anderson 
raised. The Do-Not-Track that is being set inside the Mozilla 
browser does not mean anything. Consumers are being told Do- 
Not-Track. Does that mean zero data collection? As you acknowl- 
edged, Chairman, the reality is that there has to be some data col- 
lection for the Internet to work properly. 

In the case of Mozilla, in fact, we know 60 percent of folks would 
like to have no tracking even on first-party sites. So does that 
mean that no first party, if you are looking at somebody’s site, that 
they cannot collect data on you? What does it mean? 

And I think that that is really one of the challenges here is that 
there is no standard definition for what that means, and therefore, 
answering that signal, as it has been so simply put, has been some- 
thing of a challenge. And so, what we are looking for is to sit down, 
go through the White House commitment that we all agreed to, 
and map that out, understand what it means. We have a definition. 
We have a standard, and we would be willing to abide by it. 

Senator Heller. Let me go back to you, Mr. Brookman — and 
thank you for your comments. 

There are some that believe that first-party tracking online 
tracking is better than third-party tracking, obviously because of 
the online introduction. Is that an accurate assumption? 

Mr. Brookman. I think it is more intuitive, right? I mean, if I 
go to Amazon.com, I buy a bunch of stuff. Later on, Amazon says 
here are the power drills. You asked for that last time. I kind of 
get I have a relationship with Amazon. They are showing me 
things that I liked before. 
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Later on, if I read stories about the New York Giants on 
Newyorktimes.com, and some company I don’t know reads that and 
gathers it, and then later, I am at Foxnews.com, and I start getting 
Giants ads, I am like, “Who knows this? Who is this?” I mean, does 
Fox News know this? Does some company I never heard of know 
this? 

So I think that relationship and that contextual intuitiveness 
does make first-party tracking a little more understandable for 
most users. 

Senator Heller. Very good. Thank you, Mr. Chairman. 

The Chairman. Thank you. Senator. 

Senator McCaskill? 

Senator McCaskill. So this is really hard because we have 
browsers versus advertisers. We have first party versus third 
party. We have big versus little. And the browsers are all pretty 
big. 

I mean, I know my friend from Mozilla, and I visited there, and 
I have a lot of respect for what they are doing. And I get what 
Microsoft has done. But a lot of this is about competing with 
Google. And Google hasn’t been talked about a whole lot today, and 
obviously, they are the huge, giant thing in the room because they 
are first party, and they have a lot. 

So my first question is how did we get to the point that W3C is 
deciding all this stuff? I mean, it seems weird to me. 

I mean, I am running around here, and we have so many people 
worried about the sovereignty of our country and who is deciding 
our economic future, and we have all this stuff. I mean, we have 
got people in the Senate that actually believe the United Nations 
is something that we can’t be a party to anymore, that they are 
threatening us. 

And now the biggest part of our economic growth in this country, 
that sector of our economy, we are all saying we are going to turn 
it over to W3C. And they have done technical before, but I don’t 
recall them making huge policy decisions like this. 

And I will be honest with you, I know we are bad at this. You 
know, trying to get this done and reconciling browsers versus ad- 
vertisers, first party versus third party and big versus little. But 
I am a little uncomfortable that all of us seem to have agreed in 
the room that we are ceding the authority to set this policy to some 
organization I am not even sure who is in charge of this organiza- 
tion. 

Who do they answer to? Who are they, and how did we get to 
this point? 

Mr. Mastria. Senator, I can tell you based on where the DAA 
has been, and I mentioned earlier in my testimony the White 
House agreement, which we still hold, the browsers brought W3C 
into this. 

We sit at the table. We are parties to the negotiation. We try to 
be constructive when we can, even to the point of trying to be edu- 
cational on things like businesses need to have their customer data 
bases. There is no way around that. Right? We had to make that 
point. 

But browsers brought them in. Again, we are willing to sit down 
to make the White House agreement a reality. 
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Senator McCaskill. OK. Your turn, Mr. Anderson. 

Mr. Anderson. Thank you, Senator. That is a good question. 

So, as you recall, when DNT was initially launched, the reason 
why people couldn’t respond to it was because trade said, well, we 
don’t know what it means. So we said how about a multi-stake- 
holder process? Let us use the W3C. They are a standards body. 
They are used to doing it and defining it. So we all agreed let us 
go there and define it. 

Senator McCaskill. But had they done policy before, or had they 
just done tech? 

Mr. Anderson. No, no. Yes, policy — and I would agree with you. 
They don’t do policy. They do technical standards. 

Senator McCaskill. But isn’t this policy? 

Mr. Anderson. That is what I have said here, that they had 
should be focused on the technical side, but not the self-regulatory 
part. The W3C is not a self-regulatory body. At best it will do is 
codify an agreement of people that want to create a common agree- 
ment. 

Senator McCaskill. So what you are basically saying is this is 
just a place to go to try to see if all of you guys can agree? Couldn’t 
we just set a room somewhere and all of you get there and try to 
decide and see if you all agree? 

Mr. Anderson. Yes. Well, that is how HTML 5 was set up. So 
W3C didn’t work for HTML 5. The browser makers got together 
and informally created the standard, and once it was sufficiently 
understood, you know, 70, 80 percent done, it sort of got turned 
over to W3C. 

Senator McCaskill. Are we setting the precedent if this comes 
from W3C? Are they going to be the policymaking body for the 
Internet sector for time immemorial? 

Mr. Mastria. I think this is going down 

Senator McCaskill. Let me hear from down here. 

Mr. Thierer. I just want to say one brief thing in defense of the 
W3C here because I have been critical of some of the things they 
have done, including in this process. But no matter what one 
thinks of the W3C or this process, I think most people in the Inter- 
net community would agree that it is better positioned to deal with 
technical standard-setting processes than the FTC or other regu- 
latory agencies if for no other reason that it is a more evolutionary 
body. It can go with the flow. It can change. 

We might not even have cookies in 5 to 10 years. It might be 
something totally different. The W3C process could maybe evolve 
to deal with that problem. 

So I think it is wrong — it is not a shadowy group that we need 
to worry about. They actually do some really good work. 

Senator McCaskill. Can you say that about the U.N.? Can we 
not worry about the U.N. anymore? 

Mr. Thierer. If it was dealing with the Internet, I might be a 
little bit concerned. I don’t know. But in this process, I don’t think 
we need to worry too much about this. But I think, again, it is bet- 
ter that we evolve it through that process than through a top-down 
process. 

Senator McCaskill. Than through Government? 

Mr. Thierer. Than through an FTC process. 
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Mr. Brookman. Just one thing to point out, the W3C is a vol- 
untary coalition of — mostly it is a bunch of companies, right? And 
the people in the room are Google and Yahoo! and Microsoft and 
Adobe and AT&T. I mean, CDT is a member. EFF is a member. 
Stanford is a member. But other than that, it is mostly just large 
companies trying to get together to talk through decisions about 
how the Internet actually functionally works. 

Senator McCaskill. OK. Well, I just want to make sure — and I 
have had this discussion with several of the folks that have been 
mentioned today. I want to make sure that we are not shutting 
down something after the big guys have all gotten the cows out of 
the barn, and they have got this, and now it is going to get shut 
down so all the little ones that can ^ow and become the big ones 
of tomorrow have less of an opportunity to access the richness that 
is online commerce. And that is a concern. 

And I know that all of you share it, and we have got to keep 
working at this because this is harder than it looks. 

Senator Thune. Mr. Chairman, I would say that on behalf of a 
number of colleagues on my side that we would be really worried 
if W3C is run by the U.N. 

[Laughter.] 

Senator McCaskill. I gathered that. We will probably have a 
vote tomorrow. And next we will say that they are sending out 
drones. 

[Laughter.] 

The Chairman. I think the point here is that W3C, or whatever 
it is, it doesn’t really make any difference. It has no authority 
whatsoever, absolutely none whatsoever. And I think that some of 
you have used it as a takeoff place to talk about it rather than 
about the questions that we are really here to solve, and that is 
how do you protect the vast number of people who use the Internet 
and who use through the browsers of the Web, and they have no 
idea what is going on? 

I will give you an example. This morning, I was with somebody. 
We were talking about this. And he said that is funny. Just last 
night, I was trying to — I wanted to find out about something, and 
I went on. And I began to get an answer, but then it referred me 
to the down below part. And the down below part was all this tiny 
print, which we on the Commerce Committee are so familiar with 
through health insurance companies and the cruise lines. 

I don’t want to compare you to the cruise lines. You really don’t 
want me to compare you to the cruise lines, I promise. Because 
what they do, for example, is if you buy a ticket, you have to buy 
the ticket. They have a distinguished record, as you know. And 
then after you have bought the ticket, you sort of peel down the 
part of the ticket, and you discover that you just ceded all your 
rights to bring any class action suits against the cruise line, this 
kind of stuff. 

There is a similarity in the ignorance of a lot of consumers, not 
because they are dumb, but just because they don’t have the time 
to do all of this. And I think probably a tremendous percentage of 
those who go onto the Internet with the idea of buying or whatever, 
it is situational. I want to read about France, and so then they 
start getting ads about the cheapest flights to France. That is fine. 
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Others are behavioral. That gets a little bit more serious because 
that covers a much broader area of activity, and what people write 
on blogs and all kinds of things. And people really do get to know 
you very, very well. 

But they don’t know, the great majority of the people who use 
the Internet, which is just so young — A1 Gore did such a good job — 
and such a good job that today it is the number one national secu- 
rity threat to the United States of America through cybersecurity. 
And we are all trying to figure out in 20 years, how does something 
like this happen, or 25 years, whatever it is. 

But the point is they don’t know. That is the harm that you are 
talking about. You are not talking about harm or creepiness or 
your neighbors, whatever. The harm is that people don’t know 
what they are getting into. They don’t know whether or not be- 
cause they can’t find it. It is in small print. 

I think it is all of this is rather easy. Senator McCaskill, not very 
hard. I just think it is a question of do people want to say, as a 
matter of general principle, that minus the cyber security and fraud 
and stuff that we have built in to make sure that there is that 
there, that they want to be left alone. 

They want to do — they want to transact their business. They 
don’t want to be followed around. They don’t want to be followed 
up on, and they have no way of doing that. Plus, no matter what 
kind of WC3, or whatever it is, W3C — is that it? 

Senator McCaskill. It is W3C. 

The Chairman. I don’t really care. But no matter what, it is not 
enforceable, and you can’t enforce it. And you don’t enforce it. So 
you can talk about “our Do-Not-Track policy.” You don’t have one 
that you can enforce. Correct? Correct? 

Mr. Mastria. Senator, if I might 

The Chairman. No, I am just asking, am I correct? 

Mr. Mastria. No, you are not. Senator. 

The Chairman. OK. Well, then you tell me all about that. 

Mr. Mastria. Yes, absolutely. Our self-regulatory program actu- 
ally tracks very closely to the principles that you lay out in your 
own bill, number one. Number two, in terms of compliance, the 
counsel of Better Business Bureau has brought 19 — to date, 19 
compliance cases against both members of DAA and nonmembers, 
covering the entire marketplace of participants. 

We think that we do offer a single one-button choice to con- 
sumers who choose not to receive relevant advertising and have 
their data either collected or used. That is what the DAA does. 

In terms of making it available and education, we are completely 
with you. Senator. And in fact, we are so much with you that we 
place our icon — we have removed this piece outside of the tradi- 
tional privacy policy, and we put it in prime real estate on top of 
every ad creative, a trillion times a month. And this isn’t on small 
ads and little ads that are buried. This is at the top of many 

The Chairman. The symbol is. 

Mr. Mastria. That is right, the symbol is. And if you click on the 
symbol, you get a choice to opt out. It is as simple as that. 

I think we have delivered what basically in principle you have 
laid out in your bill. We are certainly open to making modifications 
where necessary. I know Justin is working on one with us right 
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now in terms of narrowing the research description, and we are 
happy to continue down that path. 

But the reality is that we made an agreement last year at the 
White House to include browser-based choices as complements to 
our system. We still stand by that deal. We still stand by that 
agreement. We ask that everybody else who was in that room also 
stand by that deal. We think that is fair. 

The Chairman. I see it differently, and my time is running out. 
I see that the reason that you don’t like Mozilla and Microsoft, et 
cetera, is that they have gone — they have made it even easier for 
the consumer. 

We are about consumers here. We are not about how much 
money you make. We are into how much money you make, pro- 
vided it doesn’t harm consumers or take advantage of consumers 
or overload them with stuff they don’t want. 

It is the right of an American to not want to have — you know, 
I buy DVDs because I like DVDs, OK? And so, I expect to get, 
about a week after I have gotten a slug of DVDs, a magazine about 
more DVDs, and I welcome that. Otherwise, I just don’t get much 
reaction from it. I like that. 

I don’t want to be tracked. I don’t want to be tracked contex- 
tually. I don’t want to be tracked behaviorally. And you do both. 
And you make — that is the way you have to make your money. But 
how do you make your money? You make your money by selling 
ads. 

What are we talking about here? We are talking about making 
it more difficult for you to sell your ads because consumers would 
be able to say, “I don’t want this. I want this turned off. I just sim- 
ply don’t want it. I don’t want to be philosophical about it. I don’t 
want to get in the details of it. I just don’t want it. I want privacy.” 

That is a pretty basic American instinct. 

Senator Thune? 

Senator Thune. Mr. Chairman, if I might, and I would like to 
direct this to Mr. Brookman. You mentioned in your prepared testi- 
mony that you believe these ongoing negotiations on Do-Not-Track 
technical standards demonstrate, and I quote, “a need for funda- 
mental reform of our Nation’s privacy protection framework.” 

However, the approach we are currently discussing, both in the 
W3C process and in the Chairman’s legislation, contemplates re- 
forms that focus squarely on the activities of third parties. Do you 
think that approach that favors the ability of first parties to collect 
consumer data raises additional competition concerns in the mar- 
ketplace? 

Mr. Brookman. I am not a competition lawyer. I do think com- 
prehensive law should address first-party data collection. 

I think the framework we have seen in some of the bills that 
have been introduced are that for first-party data collection, which 
is more intuitive, I understand I have a relationship with Amazon. 
They collect some stuff about me. I may be able to opt out from 
that marketing, but not on a global basis. I can do it on a one-by- 
one basis. 

Whereas for third parties who I don’t have a relationship with, 
I think the relationship is different. I think the rules have to be 
a little bit more stringent for third parties. 
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I think from an average consumer’s experience, they get Amazon. 
They don’t get a company like the Rubicon Project because they 
just don’t know who they are. They are not a bad company. It is 
just they don’t have a relationship with them. It is harder for them 
to track them down and say, “Sorry, leave me alone.” 

Mr. Mastria. Just, Senator, if I may? So Justin earlier men- 
tioned that only the folks inside the DAA program would be af- 
fected by the one-button opt-out. Let me just clarify that a little bit. 

The folks inside the DAA program are 90 to 97 percent of the en- 
tire Internet ecosystem. We encompass almost the entire digital ad- 
vertising ecosystem. And so, a one-stop button for that is, in fact, 
what we provide, and we think that we have developed a system 
that both provides the preferred user experience while giving con- 
sumers privacy choices they can act on. 

Earlier today, I had soup at lunch. It was Virginia — ^West Vir- 
ginian ramp soup. I had never heard of it. I immediately searched 
for it online. Will I get some advertising related to West Virginia? 
I probably will. 

If it is more to my liking, perhaps it involves biking, I might take 
an action on it twice as much as if I didn’t get it. So that is the 
color that I want to add to Justin’s remarks. 

Senator Thune. This one will be for Mr. Thierer. It appears that 
privacy and consumer tools are increasingly being used as competi- 
tive differentiators in the online market to earn new users. It also 
appears, however, that certain tools described as consumer empow- 
ering can also be used to more firmly establish market power. 

Can you speak to the notion of online privacy being used to both 
enhance and even perhaps diminish competition? 

Mr. Thierer. Well, on the enhancing competition point, it was 
just last night I saw the first Microsoft ad that mentioned Do-Not- 
Track by name. And Microsoft has been running a series of ads, ba- 
sically trying to counter Google in many ways and differentiate it 
from Google based on privacy and security. That is a healthy form 
of competition in the marketplace that we are seeing. 

Likewise, Mozilla, what they have been doing is doing the same 
thing. You may have heard of a very small start-up search engine 
called “DuckDuckGo” that competes on privacy and has been put- 
ting up billboards in Silicon Valley about how they don’t collect any 
information when you search on their site. 

I am not sure what their business model is. We will see. But 
good luck to them. That is great that we have that sort of competi- 
tion. The more of that, the better. 

In terms of how it could adversely affect the marketplace, I am 
not too worried so as long as the marketplace continues to evolve 
dynamically and freely and that we are not locking in any one 
standard that others may choose. 

If it is the case that what Mozilla has chosen to do with third- 
party cookies or Microsoft has chosen to do with setting the default 
for Do-Not-Track to on, if consumers flock to it, so be it. They still 
have other options, and that is good. If they don’t like it, it could 
end up that that tips the balance in favor of Google and Chrome 
because people just don’t want to be bothered with interstitial pop- 
ups that basically say you have got to allow us to track you. You 



60 


have got to allow us to set a cookie, whatever else, and they just 
say, “Forget this, I am going somewhere else.” 

Mr. Mastria. If I may? We have a letter here from 700 small 
publishers that have written to Google — written to Mozilla, apolo- 
gies, who basically said that the third-party blocking — which I am 
hopeful is, in fact, just a test and not a real thing — would, in fact, 
impact their business and their ability to grow. 

Senator Thune. Thank you, Mr. Chairman. 

The Chairman. Thank you. Senator Thune. 

Would Mountain View, California, like to respond to that? 

Mr. Anderson. Yes, thank you. 

Relative to the third-party cookie blocking proposal, you know, 
there is — they sought to create a petition, and you have 700 people 
sign up that is right on your homepage. There you go — 700, 500, 
a couple hundred people. 

The former Chairman of TAB, we asked him what he thought 
about this, and the Online Publishers Association, we asked them 
what they thought about the third-party cookie blocking. And both 
organizations, they thought that there is a real problem here, fun- 
damentally, and that is one way to address it. They didn’t have the 
same concerns. They didn’t feel that it was as disastrous as it has 
been portended here. 

But I think even the discussion of the third-party cookie piece 
conflates Do-Not-Track. So it is almost as if we were saying if there 
was no proposal for third-party cookie blocking, just take it off the 
table because we are just evaluating it, why aren’t we responding 
to Do-Not-Track now from the Firefox users who opt in today? Why 
doesn’t that happen? 

Mr. Mastria. If I may? I already answered that. The word 
“track” means nothing inside the Mozilla browser. That is just the 
way it is. 

And as far as the former chairman of the TAB and the OPA, I 
would point out this. That the TAB today does not support the 
Mozilla standard and, in fact, the former chairman does not speak 
for the TAB. The LAB is the leading trade association for online 
publishers. It is a founding member of the DAA. 

As far as the OPA goes, we have had a conversation with their 
chief executive, and she assures us that, in fact, there is a problem 
with the third-party blocking prospect that Mozilla is talking 
about. 

Senator Heller. Is it my turn? 

The Chairman. Yes, I just apologize. 

Senator Heller. Thank you, Mr. Chairman. I know this 
issue 

The Chairman. You have got a great sense of humor. You know 
that? I love that Las Vegas line. 

Senator Heller. Do you? 

The Chairman. Yes, you were on a roll there. 

Senator Heller. Yes, I will keep it going if you want me to. 

The Chairman. No, actually 

[Laughter.] 

Senator Heller. Thank you, Mr. Chairman. 
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I know this issue is important to you, and obviously, it is impor- 
tant to all of us up here as we are asking these questions. And 
clearly, those that are listening to the testimony are as interested. 

And I think you are right. I think you are right. People don’t 
know. People just don’t know. And I think if they knew, they might 
care. But we don’t know because they don’t know. 

Mr. Thierer, you talked about some of the members of the indus- 
try advertising, getting billboards out. In fact I noticed on a Lakers 
game, I think it was Microsoft came out and said we are concerned 
about your privacy, during an NBA playoff game. So, clearly, in- 
dustry is understanding, boy, it is time to get this information out 
there because more people are becoming concerned, and I think 
they have a right to be concerned about the amount of information 
that is being collected. 

So I think I would like to ask about what information is collected 
today and by whom. And to Mr. Mastria, I would like to direct 
some of my questions toward you. 

Is it a correct statement that third-party advertising companies 
who are regulated by Network Advertising Initiative do not inten- 
tionally collect information used or intended to be used to identify 
a particular individual, including name, address, telephone num- 
ber, e-mail address, financial account, or Government-issued identi- 
fiers? 

Mr. Mastria. So the NAI is a founding member of the DAA. I 
can’t speak for them directly, but it is my understanding that is 
correct. 

Senator Heller. Are there online advertising companies that do 
collect and use such information about their users? 

Mr. Mastria. Not that I am aware of for behavioral advertising 
or interest-based advertising. 

Senator Heller. OK. Mr. Brookman? 

Mr. Brookman. May I just interrupt? First of all, I think the 
NAI code does not actually prevent the use of PIT in that way. It 
allows for — it requires opt-in consent for a retrospective pending 
PIT, but it allow, I think, for using PIT and in collecting behavioral 
data going forward. 

The Wall Street Journal reported end of last year about a com- 
pany called Dataium that would track you by e-mail address. And 
then I can’t remember exactly how it went, but if you were online 
looking at cars, they could e-mail back to the car dealerships you 
had previously gone to and said, “Hey, Justin is in the market for 
that BMW again. Do you want to give him a call?” 

So, I mean, there has been reporting. And I believe the code al- 
lows for tracking by real name online. 

Senator Heller. Let me follow up. 

Mr. Mastria. Senator, if I may? 

Senator Heller. Go ahead. 

Mr. Mastria. Just to clarify, so you asked about the NAI, but the 
DAA code actually does prohibit what you described. 

Senator Heller. Just to follow up, would you agree that my 
name, what I bought, my address, and other very identifiable 
pieces of information are collected elsewhere on the Internet, most- 
ly by first-party and not by most third-party advertising compa- 
nies? 
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Mr. Mastria. Typically, yes. 

Senator Heller. Mr. Brookman? 

Mr. Brookman. Yes, absolutely. They are the ones who have a 
relationship, and they are the ones that you tell. So, yes. 

Senator Heller. Any other comments? 

[No response.] 

Senator Heller. Mr. Chairman, thank you. 

The Chairman. Thank you. Senator Heller. 

Mr. Anderson, Mozilla did announce that the newest version of 
your popular Web browser Firefox would automatically block most 
third-party cookies. The move was hailed by many as a necessary 
step to protect consumer privacy, particularly in light of the contin- 
ued stalemate at W3C. 

Will you just tell us why you decided to provide Firefox users 
with this protection? 

Mr. Anderson. Thank you for the question. 

First, the current third-party cookie proposal is under evaluation. 
The behavior that would block third-party cookies when a user goes 
to a site, unless they interact with them, and which also grand- 
fathers in existing cookies, which means we are using that as a 
proxy for a prior relationship, is under evaluation right now. 

It is in what is called an Aurora build. So about 200,000 users 
have it, and so we are testing it to see if it works and at what it 
breaks. The next step is that it would move into what is called a 
Beta build. So there will be several million users that we would 
test it on to see if it — how it responds. 

But the genesis came from a contributor. So Mozilla is an open 
source project. Contributors propose patches and changes to the 
Firefox behavior. So this came from a contributor, a volunteer, ear- 
lier this year. 

From a technical perspective, it seemed to make sense. It had 
a — it was a promising idea. And the goal, as I understand and as 
I think about it, is that it creates a Web that reflects a user’s ex- 
pectations. 

Users don’t expect that when they go to a site hundreds of cook- 
ies are placed on them. They just don’t expect that. We may find 
that it is the right way to go. We may find that it is not the right 
way to go. I am not sure yet. 

And so, we are still gathering information. That is why we have 
been spending a bunch of time talking to folks in the ad and pub- 
lishing business to understand how it will actually affect them. 

The Chairman. Mr. Mastria, the industry that you represent was 
obviously not happy about that development. One representative 
called it a “nuclear first strike.” I have heard rumblings that this 
is the beginning of — this is the phrase that you all use — techno- 
logical war between your member companies and browser devel- 
opers like Mozilla. 

Will your companies thwart Mozilla’s privacy initiative by using 
other more invasive technologies to collect information on con- 
sumers? Second, if companies like Mozilla respond and develop 
other privacy tools — this is sort of like cyber war — will your compa- 
nies attempt to get around these tools? 
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In other words, will your member companies do everything they 
can at all costs to subvert default privacy protections on Web 
browsers? 

Mr. Mastria. Senator, so our members provide transparency and 
choice as a way to create trust for interest-based advertising. That 
is what we do. Interest-based advertising is one of the uses that 
emanates from the use of third-party cookies. There are hundreds 
of other uses. 

There are third-party cookies on and third-party technologies 
on 

The Chairman. Are you going to answer my question? 

Mr. Mastria. Yes. No, our commitment is to provide trans- 
parency and choice to consumers, regardless of technology, whether 
it is cookie based or any other technology that might come along. 
It is technology neutral. 

The Chairman. So let me ask again. You will — you will 

Mr. Mastria. We will continue to provide transparency and 
choice 

The Chairman. — to rise above whatever technology he may bring 
at you. And if he goes up, then you will go up, too. 

Mr. Mastria. I don’t know what he is bringing. He is saying 
that 

The Chairman. Neither does he. 

Mr. Mastria. Yes. So, I mean, you are asking me to speculate. 
The reality is 

The Chairman. You are going to win this, right? 

Mr. Mastria. I am sorry. What? 

The Chairman. You are going to win this. You are going to pre- 
vail. 

Mr. Mastria. We think that transparency and choice, as has 
been discussed here, is, in fact, the appropriate solution to educate 
consumers about what is going on online with data. The reality is 
that third-party cookies are used, as I said, for a whole host of rea- 
sons — data protection, security, shopping carts, widgets, et cetera, 
et cetera. I can go down the line. 

The fact that there are many, few, is no indication of anything 
other than a Website using multiple — multiple third-party services 
to deliver its content. There are no necessarily nefarious purposes 
assigned to the cookies simply because they are there. And that is 
an unfortunate 

The Chairman. Thank you. 

I want to ask Mr. Brookman a question. My time is about to run 
out. 

One of the things that really disturbs me in privacy, or the lack 
of it, is the way that data brokers can go in and buy all your health 
records, your financial records — they can get it one way or an- 
other — academic record. I mean, all kinds of things, what is of you 
they can have. And then from that, they — other people make a lot 
of money out of trying to send them stuff. 

Why is it that I find that — and I know lots of people can do that. 
But we are talking about a very, very large industry here which 
can decide to do that and which is doing that. Why is that so repul- 
sive to me? 

Mr. Brookman. I will speculate 
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[Laughter.] 

Mr. Brookman. — that it is deemed on sensitive personal infor- 
mation by companies with which you have never heard of and have 
no relationship and no idea and no control over. Because if you 
wanted to right now go find out which data brokers are selling data 
about you, you could assign five interns for it, and you won’t be 
able to do it. 

One thing the FTC has actually done — has planned to do, and I 
think it is a really good idea, is that they are going to try to host 
a potential repository. So any data broker entity would have to reg- 
ister on the FTC site, and then you can go through and find out 
what companies are selling about you. 

Again, it is going to be voluntary because we don’t have privacy 
law in this country. The rest of the free world has privacy law. The 
United States and Turkey do not. 

I think there should be obligations for companies to tell you what 
they have about you. And if it is wrong and it can be used for im- 
portant purposes, I think you should have a right to access and cor- 
rect it. 

The Chairman. So legislation — I keep getting these little notes. 
They are not helping me as much as the writers of the notes are. 
So that is what legislation would do? 

Mr. Brookman. Yes. That is one piece of what legislation would 
do, which is why we spent so much time focusing on behavioral ad- 
vertising. I mean, there are worse things out there, and it does fly 
under the radar. 

I mean, data brokers have been around for 

The Chairman. That is the magic, isn’t it? Nobody knows it is 
out there. 

Mr. Brookman. Yes. Yes, there is just no way to find out. 

The Chairman. Senator Richard Blumenthal is a distinguished 
new member of our committee and was, for 28 years, attorney gen- 
eral in Connecticut and has a knack of getting to the point. 

Senator Blumenthal? 

STATEMENT OF HON. RICHARD BLUMENTHAL, 

U.S. SENATOR FROM CONNECTICUT 

Senator Blumenthal. I am a member of this committee. Thank 
you, Mr. Chairman. 

I don’t know about distinguished, but I am a member of this 
committee who has proudly co-sponsored the bill that you have in- 
troduced to establish standards for implementation of the Do-Not- 
Track mechanism, very simply a mechanism that consumers can 
trust. And I am disappointed that the self-regulatory agreements 
that were committed to be done 5 months ago are overdue, and I 
would like to ask Mr. Mastria how long Congress should wait be- 
fore moving on this legislation? 

We have waited for voluntary agreements. How much longer 
should we wait? 

Mr. Mastria. Senator, we are willing to move today. In fact, we 
are still engaged in the W3C process to move forward. There have 
been some actions of two browser companies in particular, which 
have frustrated those efforts, but we continue to abide by the 
White House agreement that we made in February 2012. 
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I would also want to go back and touch on the point that the 
chairman made when he asked about will the advertising industry 
win? Senator, really, the consumers will win, I think, at the end 
of the day, because we would give them their preferred user experi- 
ence — free, ad-supported content with relevant advertising. 

And I would submit that they would win partly because the pro- 
gram that we have in place matches very closely to the program 
that you and Senator Blumenthal are co-sponsoring. 

Senator Blumenthal. Let me bring you back to my question, if 
I may, Mr. Mastria? 

Mr. Mastria. Sure. 

Senator Blumenthal. And I realize that in good faith, maybe 
you can’t answer it. But I am asking you, whatever the reason why 
the commitment hasn’t been met, really can we wait much longer? 
Isn’t it appropriate for Congress to act now, given that, again, for 
whatever reason the voluntary agreements don’t seem to be forth- 
coming? 

Mr. Mastria. I think that — I think that we are hopeful that an 
agreement can be reached. 

Senator Blumenthal. How soon? 

Mr. Mastria. I don’t think that I could tell you. 

Senator Blumenthal. You don’t know. 

Mr. Mastria. I don’t know an exact time. 

Senator Blumenthal. That is a fair answer. That is a fair an- 
swer. 

Mr. Mastria. But I would also say, I would color that answer 
with this does take a little bit of time, and the reality is that we 
are working at it and that legislative or technological fiats are not 
necessarily what the Internet needs. It is still growing. It is still 
evolving. 

And we think that a nimble self-regulatory approach, much like 
ours, which is about to provide guidance in mobile and the app en- 
vironment, is exactly the kind of thing that helps foster consumer 
trust while protecting privacy. 

Senator Blumenthal. And I would find that answer satisfactory. 
And I am not challenging the good faith in providing that answer, 
except we are living in a revolutionary world. We are in the midst 
of a revolution. 

We are debating right now on the floor of the United States Sen- 
ate the Marketplace Fairness Act, which takes as a given that we 
have $150 billion in Internet sales, a number that would have been 
unimaginable maybe just a year ago. And we all have friends. 
Some have more friends than others. Many of our friends don’t 
know as much about us as the people who do business on the Inter- 
net, about our tastes in music or design or fashion or whatever. 

And so, I think consumers have a right to ask whether we can 
trust the commitments, the commitment that was made months 
ago as part of the President’s program, of whether we can trust 
that commitment when no one seems to know when the voluntary 
standards will be completed. 

Mr. Mastria. We can commit to you that we are continuing to 
work on it. To put a specific date on it would not be fair. But I can 
commit to you that we are working on it. 
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Senator Blumenthal. Is there something that either Congress or 
the FTC can provide to you that would make those voluntary 
standards or agreements easier to reach? 

Mr. Mastria. Yes, well, as I said in my testimony and I think 
I repeated a number of times, the reality is that there are two 
browsers that are contravening that agreement right now. So as 
soon as we can get some agreement around that, then we can move 
forward much more quickly. But the reality is that we are at the 
table and willing to move forward. 

Senator Blumenthal. And really the only thing that can force 
compliance is a law, at the end of the day. Isn’t that what you are 
telling this committee? 

Mr. Mastria. No. 

Senator Blumenthal. Well, if those browsers are refusing to 
abide by voluntary standards or refusing to be part of an agree- 
ment, isn’t a law necessary? Isn’t that sort of the classic 

Mr. Mastria. No, we have an agreement. Senator. I mean, we 
just want them to live up to it. That is it. It is as simple as that. 

Senator Blumenthal. Well, when voluntary agreements fail to 
provide for compliance, it seems to me that is the classic instance, 
assuming that the public interest is involved, where a law is appro- 
priate. 

Mr. Mastria. I would submit. Senator, our program today deliv- 
ers the very mechanisms that you and Chairman Rockefeller have 
proposed in your bill. 

Senator Blumenthal. OK. 

The Chairman. Senator Blumenthal, I would just interrupt to 
say that what he is talking about, his standards are totally unen- 
forceable, and he knows it. 

Senator Blumenthal. Thank you. 

Well, Chairman Rockefeller, I think, has made the point more 
succinctly and clearly than I could. But I think that, unfortunately, 
is the thrust of what I am hearing at this committee hearing. 

Thank you very much, Mr. Chairman. 

The Chairman. You just arrived recently. Do you want to ask an- 
other question? 

Senator Blumenthal. I am done. Thank you. 

The Chairman. You are done. 

Senator Blumenthal. Yes. 

The Chairman. Just done. OK. I am going to close this by going 
back to what I think, Mr. Anderson, you started with. And that is 
that in the long run, most things that work in America of a com- 
mercial nature or which intersect with people’s lives in a personal 
way — both personal and commercial, therefore — are where things 
are trusted. 

And that the future of the Internet and its various transactions, 
as it weaves in and out of what it gets to know behaviorally or con- 
ceptually about individuals and then uses that so people can go 
make money off of it, that the American people are smart, and the 
statistics of the number of people who use the Internet are stag- 
gering. The 12 to 17 group is the highest percentage of users, but 
it is all staggering. It is all 85, 90 percent stuff. 

So that all those people who are not aware of the practices of 
some because it is under the radar are gradually going to become 
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aware that this is a process. The Internet is very new. As I said 
before, I am stunned by the fact that, you know, this basically — 
the Internet went usable generally, what, in the mid 1990s, about 
then? And since then it has done nothing but grow exponentially. 

Then you get Facebook, which actually is interesting because 
Facebook is all closed off. Nobody can penetrate them. It is rather 
good, I think. You come up with some ideas. Microsoft comes up 
with some ideas, actually different from my bill. I am just thinking 
maybe they are better than my bill. 

Because I think that — well, I don’t commit myself to anything on 
that, but it seems to me the more we do to make the consumer’s 
life easier, his right to privacy or her right to privacy easier, 
whether you opt out, opt in, whether you do it by default, which 
is what you do, which sort of makes them, allows them to come 
back and say, “No, no, I want to be able to do this.” But it protects 
them from the beginning. 

And as they want not to be protected, they can make those ad- 
justments. That ultimately is the kind of thing which builds the 
trust, or things of that nature within some radius of what you are 
talking about are what ultimately build the trust in this country 
toward the Internet that it is going to need. 

Popular as it might be, it is stunning how much harm in real 
terms through blogging, through bullying, through stuff that leads 
to suicides and all that. It is commonly talked about now. It was 
not even a subject, obviously, 10 years ago when I went around 
West Virginia. It is commonly talked about. I have lots of round- 
table and town meetings on that. 

So the American people are smart. They are going to figure this 
out. And as they figure it out, they better like what they see if the 
Internet wants to prosper. 

And with that, the hearing is adjourned. 

[Whereupon, at 4:19 p.m., the hearing was adjourned.] 
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Response to Written Questions Submitted by Hon. John D. Rockefeller IV 

TO Harvey Anderson 

Question 1. Do you believe that the DAA’s self-regulatory program and choice 
mechanism, in their current form, are sufficient for consumers? Why or why not? 

Answer. No, we do not believe the DAA’s program in its current form is sufficient 
for consumers. As we outlined in our written testimony, the efficacy of the Digital 
Advertising Alliance (DAA) Ad Choices program remains an open question. Last 
year, according to one study, the number of users who viewed the icon was low: 
0.0035 percent of users clicked on the icon, and only 1 in 20 of those actually opted 
out. The DAA itself reported that more than a trillion ads per month include the 
Ad Choices icon — a blue triangular icon that when clicked, takes consumers to a 
page where they can learn about the ad, and opt out of receiving it. Only five mil- 
lion users have accessed the choice tool, and reportedly a total of two million of 
those have opted out of all interest-based advertising since the program began. Over 
a three-month period this equates to an effective rate less than .0000006 percent. 

This low opt-out rate seems inconsistent with the 1 1 percent of Firefox users who 
have turned on Do Not Track without prompting or any conspicuous visual clues 
in the Firefox user interface (see https:! i dnt-dashboard.moziUa.org D. The ar^- 
ment that the current low participation rate means that consumers are “OK” with 
the current tracking and collection practices is contradicted by the ample survey re- 
search indicating otherwise. 

The user experience for the opt-out and the user education could be substantially 
improved. The icon could be more visible, contain less text, and require fewer 
clicks — it could be more user-friendly. Still, even though we believe improvement is 
warranted, we recognize that the DAA scheme represents significant effort, coordi- 
nation, and investment that overtime can improve through iteration and feedback. 

Question 2. Can the DAA’s existing self-regulatory scheme be narrowed or 
changed in some way as to place reasonable, meaningful limits on the collection of 
consumer’s information? How? 

Answer. Mozilla only has access to the information that is publicly available con- 
cerning the DAA’s program and, beyond our comments above, we do not have suffi- 
cient information to provide a detailed response to this question. 


Response to Written Questions Submitted by Hon. Barbara Boxer to 
Harvey Anderson 

Question 1. How do Firefox users find out about the Do Not Track feature? 

Answer. Currently, we believe most Firefox users find out about the Do Not Track 
feature by exploring the Firefox preferences. Users may also learn about the feature 
through popular media, which has widely covered development of the feature, and 
from consumer advocacy groups. We have also provided users with some information 
about Do Not Track through our own blogs, marketing materials and support pages. 

To enable Do Not Track in Firefox, a user must first select “Preferences” in the 
menu options, and then select the “Privacy” menu shown below to enable Do Not 
Track. 


©O'”' 


Privacy 

lU 

- \ 


- -. It ; 


General Tabs 

Content Applications Privacy 

Security Sync Advanced 


Tracking 

0Tell sites that I do not want to be tracked. 
OTell sites that I want to be tracked. 


( 69 ) 



70 


We do not promote the feature in the product or provide the user with visual 
prompts in the main user interface. This is primarily because Do Not Track is still 
under development and we need widespread industry adoption of the system and 
the signals for it to provide meaningful choice and control to users. 

Question 2. To what do you attribute the growth in the number of Firefox users 
who have turned enabled Do Not Track? 

Answer. We attribute the growth in the number of Firefox users who have en- 
abled Do Not Track to a broad user sentiment that they want more control in their 
digital transactions. There are very few easy options available, and users perceive 
they are tracked across their web browsing activities and don’t understand how/ 
whether they receive benefits or direct value from this tracking. Those users who 
don’t want this to occur or don’t understand what’s happening with their data set 
their browsers to tell sites “not to track” them. We expect that adoption will sta- 
bilize over time and we don’t necessarily believe the growth rates will organically 
continue if adoption remains consistent with historical patterns. We also believe 
that the adoption rate may be affected by how well industry recipients respect Do 
Not Track signals. 

Question 3. Why did Mozilla make the decision to block third-party cookies by de- 
fault? 

Answer. We continue to evaluate the “third party cookie patch” that is currently 
available in the Aurora build (a special testing build used by a small number of 
users) for Firefox. This patch would create a default setting that blocks third party 
cookies. Our primary motivation for considering the patch is to make enhancements 
to cookie policies that will help to create the Web experience users expect. The cur- 
rent feature set matches Apple Safari’s third party cookie policy. We are still gath- 
ering feedback on the current proposal and iterating on other ideas and potential 
modifications. The new default cookie policy will remain in our test builds of Firefox 
until evaluation and development is complete. 

Question 4. How do the expectations of Firefox users differ with respect to first- 
party and third-party cookies? 

Answer. We believe that Firefox users are more likely to expect tracking and col- 
lection from parties with whom they have intentionally engaged. This is because 
users have a better understanding of the value proposition and the benefits to them. 
This is often called a first-party. For example, when you log into Amazon, users ex- 
pect the service to remember your name, past history, and to offer experiences based 
on information they have collected about you through your interactions with the 
service. Conversely, users don’t generally expect that parties with whom they do not 
have a relationship to collect or track information about them. The converse is also 
not necessarily true, all first parties are not necessarily “good” and all third parties 
are not necessarily “bad” or surprising to users. For example, some websites engage 
third parties by contract restricting their collection and tracking practices, others 
use third parties for analytics in ways that would be perfectly acceptable to users, 
and even other third parties operate and comply with the laws of the relevant juris- 
dictions with strict regulatory prohibitions on profiling without user consent. 

Question 5. How does blocking third-party cookies change a user’s browsing expe- 
rience? 

Answer. Through our testing we continue to learn more about what happens when 
third party cookies are blocked, but we our review process is still ongoing. For the 
most part, blocking third party cookies will have little overall impact to a user’s 
browsing experience. Users will still be able to consume content from those websites 
that have enabled third party cookies even though those cookies cannot be read — 
ads will continue to be displayed, but the user may not be shown targeted ads based 
on cookie data. It’s also possible that a site may prevent a user from accessing some 
content or services without enabling the use of third party cookies for that site. It 
is worth pointing out that in mobile web browsing, fewer sites and apps rely on 
third party cookies, so disabling third party cookies by a mobile OS provider has 
even less impact on a user’s browsing experience. 

Question 6. How have users, advertisers, and other stakeholders responded to 
Mozilla’s announcement regarding its new third-party cookie policy? 

Answer. The response to the proposal has differed widely depending on the re- 
spondent’s role in the digital ecosystem. Users have largely been silent (maybe be- 
cause the change and impact is not well understood outside of the ecosystem), yet 
comments posted to various social sites and media outlets demonstrate strong sup- 
port coming from some segments of our user base. Publishers have expressed con- 
cerns about frequency capping and conversion management, functionality offered by 
cookies. Ad tech entities that don’t have a direct relationship with the user or who 
provide re-targeting services have articulated concern that this may directly impact 
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their current businesses. Some stakeholders in the ad tech industry have expressed 
concern that the proposed change gives first parties an unfair advantage that may 
make their inventory more valuable over time. The brands have not articulated spe- 
cific concerns, but generally tell us they don’t want to be associated with non-trans- 
parent practices and are concerned about the extent to which third parties are 
tracking users outside their stated privacy policies. Consumer groups have been 
very supportive of the proposed change because it increases transparency and user 
control, reduces emergence of data inequalities, and the sale of secondary purposes 
outside of the user’s control and benefit. 

There also seems to be a general sentiment among stakeholders that the current 
practices of using cookies for collection and tracking are not long lived and new 
technological approaches are on the horizon. Thus, while stakeholders we’ve met 
with know change is inevitable with regard to cookies, there is inherent resistance 
until a better alternative is available. 

Question 7. Do you anticipate other browser companies following suit in blocking 
third-party cookies by default? 

Answer. Apple’s Safari browser already has implemented a third party cookie pol- 
icy that blocks most third party cookies by default, including on its iOS platform 
devices like iPhones and iPads. We are unable to predict what Google and Microsoft 
will do relative to third party cookies. 

Question 8. How prevalent is the use of digital fingerprinting and other non-cookie 
tracking among websites encountered by Firefox users? 

Answer. We know various forms of digital fingerprinting are in practice today, 
however, we do not have sufficient information to quantify the extent of the current 
practices. 

Question 9. What does Mozilla do to address the use of these alternative tracking 
methods? 

Answer. Our primary proposal to address all forms of tracking has been our work 
on Do Not Track. We still believe a simple, user-enabled Do Not Track signal is the 
best method for providing users and sites a simple, persistent, automated and effec- 
tive signal to opt-out of tracking regardless of whether a site or app is using cookies, 
unique IDs, fingerprinting or other tracking methods. We also are continuing to 
work to minimize the Firefox user agent string fingerprint where possible. 

Question 10. What role do alternative tracking methods play in the ongoing World 
Wide Web Consortium discussions regarding a Do Not Track standard? 

Answer. To date, the scope of the W3C discussions have been focused on a Do Not 
Track signal that would be technology-agnostic on the form of tracking method 
being deployed by a third party. Barring some change in the coming weeks, the 
W3C specification would apply to any type of third party tracking. 


Response to Written Questions Submitted by Hon. Frank R. Lautenberg to 

Harvey Anderson 

Question 1. A 2010 Wall Street Journal series on online privacy illustrated the 
extent to which individuals are being tracked and how the invasive practice can 
cause real harm. A recent high-school graduate, who had been identified by adver- 
tisers as concerned about her weight, told the paper she sees weight-loss ads every 
time she goes on the Internet. She said, “I’m self-conscious about my weight. I try 
not to think about it . . . then [the ads] make me start thinking about it.” Do you 
believe this qualifies as a real harm? 

Answer. We cannot judge how the ad placements may have impacted the indi- 
vidual interviewed in the WSJ series. Traditionally, legal harm that results in rem- 
edies and legislative action requires a cognizable and quantifiable loss or injury. The 
WSJ series demonstrates the real need for education, transparency and greater 
trust in advertising data practices. 

Question 2. Many believe the lack of transparency — particularly with regard to 
3rd party cookies — and an individual’s inability to know what personal information 
is actually being collected can cause real harm because consumers don’t have the 
ability to understand how to protect themselves from invasive tracking. Do you 
agree that this is a harm? 

Answer. Harms in this case are difficult to quantify in a traditional sense because 
the real harm is a lost opportunity to accelerate commerce and more meaningful 
digital transactions. As stated in our written testimony before this Committee, we 
believe that more education, greater transparency and direct control around these 
advertising practices creates trust and demonstrates value to the user which would 
ultimately create a better, stronger ecosystem: 
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“If users do not understand what happens to their data, how it is used, or the 
trade-offs, they will inevitably seek more protective blocking options. Con- 
versely, we may see the adoption of more invasive and even less transparent 
tracking methods. The impact is that efforts to protect the status quo further 
erode people’s trust in the ecosystem, thereby compromising future expansion 
of commerce and innovative growth of this ecosystem. Personalized content is 
good, however, the collective challenge we face is how to deliver that content 
transparently. 

The future of a viable, innovative Web that continues to contribute jobs and 
drive social, educational and economic activity depends on consumer trust. To 
develop this trust, transparency, choice and control are essential. Real trans- 
parency of business and data sharing practices combined with meaningful user 
choice will engender the confidence users expect.” 

Question 3. Do you believe that consumers have a basic right to privacy online? 

Answer. Certainly some states like California, and many countries around the 
world, have provided constitutional protections for privacy. To the extent these 
rights extend to digital environments, we act consistently with the applicable law. 
We also believe users have a right to make choices — that don’t punish them — about 
their information, habits, relationships, interests, activities, and preferences. This 
value is reflected in our product design in ways that users efficiently and easily 
navigate the web. 


Response to Written Question Submitted by Hon. Amy Klobuchar to 
Harvey Anderson 

Question. It now appears that Mozilla, Apple, and Microsoft are competing on con- 
sumer privacy. Both the FTC and White House reports on privacy released last year 
mention the possibility of privacy practices, including online tracking options, be- 
coming a consideration for consumers deciding between devices and services. Have 
you seen data suggesting consumers already chose services, particularly online, 
based on privacy practices? Is this impacting the competition between browsers and 
services? 

Answer. Privacy practices by the major browser providers are emerging as a 
major factor but do not appear to be the driving factor in product selection. In most 
markets, privacy is important as a feature area for browsers, but our research indi- 
cates that it still ranks behind other factors like performance, stability and security. 

Part of the challenge for browsers is that privacy is not a mature area of feature 
development. Most of the privacy tools and settings available in browsers are still 
in early phases of development and generally are not used by the mainstream user. 
If more browser technology existed that was privacy forward, intuitive, and added 
value to a user’s online experience, more users would seek it out and avail them- 
selves of it. 


Response to Written Question Submitted by Hon. Brian Schatz to 
Harvey Anderson 

Question. I agree with the point that you made in your testimony that it is impor- 
tant to protect the trust of consumers. I am concerned that, right now, consumers 
lack even the most basic tools to understand, let alone trust, the information col- 
lecting activities of advertisers on the websites they visit. When a consumer is 
browsing on the internet, is there any way for that consumer to know on any given 
website (1) who is collecting information about that person, (2) for what purpose 
that data is being used, and (3) who else might have access to that data? 

Answer. For over a decade, the primary basis for consumers to learn about any 
given site’s data handling practices has been its posted privacy policy. Numerous 
studies have been done over the years showing that the vast majority of top com- 
mercial websites have privacy policies (see TRUSTe Privacy Index 2011; http:! ! 
tctechcrunch2011.files.wordpress.com ! 2011 ! 11 / truste-privacy-index-2011-websites 
.pdf). Some state governments, such as California, have legislated that websites are 
required to post a policy that covers the three points you outlined in your question. 
The Federal Trade Commission has also brought a number of deceptive/unfair prac- 
tice actions against sites that have wavered from stated data practices. 

While there is research showing that consumers don’t regularly read or make 
sense of these policies, privacy policies are noteworthy sign posts used to provide 
information about sites’ data practices (see “The Cost of Reading Privacy Policies,” 
A. McDonald & L. Faith Cranor, I/S: A Journal Of Law And Policy For The Infor- 
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mation Society, 2012; http: II moritzlaw.osu.edu ! students ! groups ! is ! files ! 2012 ! 02 ! 
Cranor_Formatted Final.pdf). 

As it relates to third party tracking, the current paradigm of relying on posted 
privacy policies creates challenges as it becomes more difficult to describe in detail 
within these policies how consumer websites employ third party services, widgets 
and advertising. Moreover, because of the need for more transparency about the cur- 
rent practices in the digital ad tech sector, consumer expectations of what is occur- 
ring on these websites are not being matched. 

One of our stated objectives in developing a Do Not Track specification is to help 
evolve the notice and choice model to one where a user states his/her preference and 
the website is able to communicate back its relevant tracking practices all without 
the consumer needing to read the privacy policy. 


Response to Written Question Submitted by Hon. Ron Johnson to 
Harvey Anderson 

Question. What are the harms that are actually occurring to consumers through 
anonymous cookie-based “tracking?” As indicated in Mr. Mastria’s testimony, the 
primary privacy concerns for most consumers online have to do with identity theft, 
viruses and malware, and government surveillance. So, what harms are occurring 
that the FTC doesn’t currently already have the authority to address? 

Answer. The question of harms associated with online tracking is a complicated 
one to answer, as we stated above in our responses to Senator Lautenberg. We need 
to look beyond legal distinctions or classes of harms to look at the erosion of trust 
in the ecosystem resulting from non-transparent tracking of consumers online. Mr. 
Mastria’s testimony points to some of the privacy concerns of consumers today. 
However, we know consumers care about intrusions into their private lives, not just 
from hackers or governmental entities, but also from commercial entities. 

To consumers, many types of personal information can be important to them, in- 
cluding elements that are uniquely identifiable or not, including de-identified data, 
that might be characterized as “anonymous” meaning not including a person’s name 
or SSN, for example. 

Meaningful distinctions between personally identifiable information (PII) and non- 
PII are breaking down. 

To a certain extent, much of the data collected from or about a consumer online 
could be reasonably considered “personal” by that person. In the context of cookies, 
calling data associated with a cookie “anonymous” because it doesn’t include a per- 
son’s name, home address or other PII doesn’t mean that there aren’t privacy con- 
siderations. Whether data is uniquely identifiable or becomes subsequently identifi- 
able in combination with other data, or whether future, novel uses of that data cre- 
ate new contexts with privacy properties, people can have legitimate interests in 
wanting to understand and have a say in a company’s data handling practices. For 
example, a database generated by a third party company in the ad ecosystem that 
is able to associate a consumer’s online browsing history down to a specific product, 
interest or purchasing intent and then for that data to cross multiple companies’ 
systems to use that data across the web to personalize display ads, content or rec- 
ommendations can feel personal to that user despite not including any PII. 

On a technical level, there are many, real world examples of so-called anonjnnous 
data being later re-identified. In 2006, AOL released a large data set for research 
purposes of 650,000 users’ search queries that it anonymized before posting online. 
Using a phone book listing. The New York Times was able to identify individuals 
from the data. Since then, a number of researchers have demonstrated that by com- 
bining datasets from public sources with anonymized datasets, it is possible to re- 
identify actual individuals sometimes to dramatic effect in some cases where the 
once-anon 3 Tnized dataset includes financial or health related data. 

We shouldn’t accept comments made by those trying to minimize concerns associ- 
ated with anonymized datasets about users’ online activities, purchases, communica- 
tions and relationships because the business interest is only to personalize a display 
advertisement today. We have to think more broadly about the future of this data 
once its collected, whether it might be compromised by a hacker, resold to other 
businesses whose practices may not always be in the consumer’s interest (e.g., em- 
ployment decisions) or swept up in a government subpoena. We believe all players 
in the industry need to recognize the long-term ramifications and implications of 
any data being collected online and establish best practices and technical measures 
to provide users greater transparency, choice and control. 



74 


Response to Written Questions Submitted by Hon. John D. Rockefeller IV 

TO Luigi Mastria 

Question 1. Much of the hearing focused on the DAA’s promises at the February 
2012 White House event to honor Do-Not-Track browser-based header signals. In 
your testimony, you stated that the DAA committed to honor a Do-Not-Track header 
“where a consumer (1) has been provided language that describes to consumers the 
effect of exercising such choice including that some data may still be collected and 
(2) has affirmatively chosen to exercise a uniform choice with the browser based 
tool. The DAA standard will not apply in instances where (1) and (2) do not occur 
or where any entity or software or technology provider other than the user exercises 
such a choice.” Some browsers, such as Google’s Chrome, appear to currently meet 
these requirements, yet few DAA members honor such Do-Not-Track signals. Why 
do your members not currently honor Do-Not-Track header signals that meet the 
very standards you outlined in your testimony? 

Answer. The DAA administers a comprehensive program of industry self-regula- 
tion for the collection and use of web viewing data that provides enhanced consumer 
transparency and control. The DAA’s Principles call on companies to provide con- 
sumers with choice with respect to the collection and use of web viewing data. To 
help companies implement the Principle of Consumer Control, the DAA developed, 
implemented, and maintains a consumer choice page through which consumers can 
set their preferences. Since the program’s launch, eight million users visited this 
choice page with more than two million exercising their choice. This tool provides 
meaningful and effective choice in the marketplace. 

The DAA seeks to develop universal standards that deliver a consistent user expe- 
rience. For instance, DAA developed principles for transparency that enumerates 
the elements of notice and the means hy which such notice is provided. Specifically, 
DAA calls on companies to provide transparency outside the privacy policy via the 
DAA Icon. With each icon served — at a rate of more than one trillion ad impressions 
per month across the Internet — consumers can link to notice concerning a company’s 
data practices and access a choice mechanism. This approach provides a consistent 
user experience for consumers; i.e., when a consumer clicks on the Icon, the con- 
sumer can expect a certain result- notice of data practices and access to a choice 
tool. 

The DAA seeks similar consistency for consumers with respect to browser-based 
choice mechanisms. 

In February 2012, the DAA announced an agreement to honor the DAA Principles 
through a browser signal when consumers both (1) receive meaningful information 
about the effect of that choice, and (2) affirmatively makes that choice themselves. 
The DAA standard will not apply in instances where (1) and (2) do not occur or 
where any entity or software or technology provider other than the user exercises 
such a choice. 

Unfortunately, this agreement has been short-circuited due to contrary ap- 
proaches taken by Microsoft and Mozilla. Microsoft subsequently released its new 
version of IE 10 with “do not track” turned “on” as a default setting, in direct con- 
flict with the agreement they helped develop with the White House. 

Mozilla has implemented what it refers to as a “do not track” tool in the current 
Firefox release also without following the White House agreement, for example by 
not describing for consumer the impact of their choice and creating inaccurate con- 
sumer expectations. Mozilla’s interface permits users to check a box to “Tell 
websites I do not want to be tracked.” Nothing more is provided to users; for exam- 
ple, consumers are not told that, by exercising such choice some data may still be 
collected. This implementation conflicts with the workable standard developed 
through industry consensus in 2012 and does not provide consumers with clear in- 
formation about the effect of their choices. 

Until there is a universal meaning and implementation consistent with the Agree- 
ment at the White House across all browsers, DAA will continue to call for compa- 
nies to provide choice via DAA’s effective choice tools and not require companies to 
adhere to tools that promote confusion for consumers and do not meet the DAA’s 
consensus standard for consumer control. 

Question 2. I am very concerned that in the absence of a comprehensive Do-Not- 
Track agreement, your member companies will respond to default consumer privacy 
measures recently considered by Mozilla, the nonprofit organization behind the pop- 
ular Web browser Firefox, and other browser developers. I worry that such a game 
of one-upmanship could have a detrimental impact on how consumers experience 
the Internet. Will your members thwart default settings that block third-party cook- 
ies by using other, more invasive technologies — such as browser fingerprinting — to 
collect information from consumers? 
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Answer. The DAA’s Principles and Program are technology neutral. The DAA’s 
Principles consist of seven principles: education, transparency, consumer control, 
data security, controls with respect to material changes to policies and practices, 
heightened safeguards for sensitive data, and accountability. The principles set 
standards designed to provide a consistent user experience. The DAA does not man- 
date the use of specific technologies by companies in satisfying these Principles or 
in delivering their services, but instead calls for companies to provide transparency 
and control with respect to their practices. 

Question 3. If browser companies like Mozilla respond and develop other privacy 
tools for consumers that actively prevent the collection of information, will your 
members attempt to get around those tools and subvert default privacy protections 
on Web browsers? 

Answer. It is my understanding that Mozilla has chosen to delay its plans to block 
third-party cookies to reassess the impact blacking would have on the Internet eco- 
system. Cookie blocking does not advance consumer choice and would have a signifi- 
cant adverse effect on users’ Internet experience. 

Cookies set by third parties play a vital role in the Internet ecosystem by facili- 
tating consumer access to content and services. Blocking of third-party cookies 
would disrupt consumers’ online experience on the websites they use by reducing 
content personalization and the relevancy of advertising they receive — and these 
moves could even impact shopping cart and other similar third-party operational 
functionality. This change would harm all Internet content and services that use 
third party technologies to understand and protect their audiences. In particular, it 
would disproportionately harm the numerous small publishers that are often com- 
pletely reliant on these technologies to operate and monetize their sites, thereby 
thwarting new job creation and chilling innovation. 

The DAA will monitor changes in the marketplace and evaluate the impact of this 
type of unilateral decision on the Internet and advertising ecosystem. The online ad- 
vertising industry is a beacon for innovation and job creation. In 2012, Internet ad- 
vertising revenues reached a new high of $36.6 billion, an impressive 15 percent 
higher than 2011’s full-year number. ^ Because of this advertising support, small and 
medium-size publishers can provide consumers with access to a wealth of online re- 
sources at low or no cost. This model delights consumers and creates jobs across 
America, fostering a competitive marketplace that drives down prices for consumers 
and costs for businesses. A 2009 study found that more than three million Ameri- 
cans in every U.S. state are employed due to the advertising-supported Internet, 
contributing an estimated $300 billion, or approximately 2 percent, to our country’s 
GDP.2 There is employment generated by this Internet activity in every single con- 
gressional district in every state across the United States.^ 


Response to Written Questions Submitted by Hon. Barbara Boxer to 

Luigi Mastri 

Question 1. The Digital Advertising Alliance (DAA) created the AdChoices icon to 
provide users notice and an opportunity to opt out of behavioral advertisements. In 
his written testimony, Mr. Anderson cited a study from Carnegie Mellon University 
that found that 0.0035 percent of users clicked on the AdChoices icon when pre- 
sented with it and only 1 in 20 of these users proceeded to opt out. Would you say 
that the implementation of the AdChoices icon has been successful? 

Answer. Yes. The DAA program developed a universal icon to give consumers 
transparency and control for interest-based ads. The icon provides consumers with 
notice that information about their online interests is being gathered to customize 
the web ads they see. Clicking the icon also allows consumers to choose whether 
to continue to allow this type of advertising. 

The icon is served more than one trillion times each month on or next to Internet 
display ads on websites. The DAA reached this milestone within a short 18 months 
from program launch. This achievement represents an unprecedented level of indus- 
try cooperation and adoption. 


1 Interactive Advertising Bureau Press Release, “Internet Ad Revenues Again Hit Record- 
Breaking Double-Digit Annual Growth, Reaching Nearly $37 Billion, a 15 percent Increase Over 
2011’s Landmark Numbers” (April 16, 2013) (reporting results of PricewaterhouseCoopers 
study). 

2 Hamilton Consultants, Inc. with Professors John Deighton and John Quelch, Economic Value 
of the Advertising-Supported Internet Ecosystem, at 4 (June 10, 2009), available at http: I j 
www.iab. net / media Ifile! Economic-Value-Report.pdf 

»Id. at 53. 
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The icon serves as the main gateway to the DAA’s choice page. With the rise in 
the number of icons displayed, visitors to the DAA choice page have also increased. 
In 2012, more than 5.2 million unique users accessed the resources provided at 
www.aboutads.info, which is more than three times the 2011 figure. Overall, since 
program launch, more than 8 million visitors have accessed the DAA program opt- 
out tool, and more than 2 million unique users have exercised choice. 

Question 2. How does the DAA measure the effectiveness of the AdChoices icon 
as a public education and user empowerment tool? 

Answer. The DAA is deeply committed to consumer education. In 2012, the DAA 
launched a dedicated educational site at www.YourAdChoices.com. The site provides 
easy-to-understand messaging and informative videos explaining the choices avail- 
able to consumers, the meaning of the DAA Icon, and the benefits they derive from 
online advertising. 

In 2012, companies participating in the DAA program voluntarily donated more 
than four billion impressions to support an educational campaign for www.Your 
AdChoices.com. 

Since the campaign launched in late January 2012, more than 13.5 million unique 
users have visited this educational site. This site also provides access to the DAA’s 
user choice mechanism. The combination of the educational campaign and the ubiq- 
uitous availability of the DAA Icon have significantly increased consumer usage of 
the DAA program tools. 

In 2012, more than 5.2 million unique users accessed the resources provided at 
www.aboutads.info. Of those visitors, nearly one million unique users exercised 
choice using the integrated opt out mechanism provided at that site; moreover, a 
total of two million unique visitors have now exercised opt out choices since the pro- 
gram launch. Many users visit the website, learn about their choices, and ultimately 
choose not to opt out. We believe that this shows that once consumers understand 
how online advertising works, many prefer to receive relevant ads over irrelevant 
ads. Research supports this proposition. A recent poll of U.S. consumers shows that 
68 percent of Americans prefer to get at least some Internet ads directed at their 
interests and included in this total are 40 percent of Americans who prefer to get 
all their ads directed to their interests."* 

Question 3. Mr. Brookman writes in his testimony that the DAA AdChoices pro- 
gram is almost entirely cookie-based. In other words, when a user deletes her cook- 
ies, she likely also deactivates her preference to opt out of tracking by DAA mem- 
bers. Is it true that a user’s preference not to be tracked disappears when she de- 
letes her cookies? 

Answer. No. More than a year ago, the DAA developed, at great expense, a suite 
of browser plug-ins to make consumer choices persistent. Through these “hardened” 
opt-outs, a consumer’s preferences will remain active even if she deletes her cookies. 

Question 4. Is the DAA taking steps to create a more persistent opt-out mecha- 
nism? 

Answer. The DAA currently provides consumers with persistent opt-out mecha- 
nisms. 

Question 5. Mr. Brookman also claims in his testimony that opting out through 
the AdChoices program prevents only the display of targeted advertising to a user 
and not the tracking itself. Are DAA members permitted to track users who have 
opted out through the AdChoices mechanism as long as they do not display targeted 
advertisements to those users? 

Answer. The DAA’s Principles cover both the collection and use of web viewing 
data for purposes including, but not limited to, interest-based advertising. Where a 
consumer has exercised choice under the DAA Program, companies should stop the 
collection and use of data from the computer or device for any purpose except collec- 
tion and use for narrow purposes specified in our Principles and described in our 
next response. 

Question 6. If so, how may DAA members use the tracking data they collect from 
users who have expressed a preference to opt out from behavioral advertising, and 
how are these data used in practice? 

Answer. In November 2011, the DAA extended its Principles beyond advertising 
to cover the collection and use of all Multi-Site Data except collection for narrow 
purposes including operational and system management purposes, fraud prevention 
and security, content delivery, market research, and product development, and data 
that has been de-identified. Some collection of data is vital to workings of the Inter- 


Interactive Survey of U.S. Adults commissioned by the DAA (April 2013), available at 
http:! / www.aboutads.info/DAA-Zogby-Poll. 
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net ecosystem, and limiting collection of this data would result in a reduced online 
experience for consumers. 

Significantly, the DAA Multi-Site Data Principles prohibit the use of Weh viewing 
data for employment eligibility, credit eligibility, healthcare treatment eligibility, 
and insurance eligibility and underwriting and pricing. 

Question 7. In February 2012, the DAA announced plans to implement, within 
nine months, policy changes that would respect users’ tracking preferences as ex- 
pressed through browser header signals. Why has the DAA not implemented these 
policy changes? 

Answer. For more than two years, the DAA has been offering an effective, one- 
button choice mechanism that empowers consumers to stop the collection of web 
viewing data by third parties. At a highly-publicized White House event last year, 
the DAA announced an agreement to honor the DAA Principles through a browser 
signal when consumers both (1) receive meaningful information about the effect of 
that choice, and (2) affirmatively makes that choice themselves. It was agreed that 
the DAA standard would not apply in instances where (1) and (2) do not occur or 
where any entity or software or technology provider other than the user exercises 
such a choice.® 

Unfortunately, the White House agreement was short-circuited due to contrary 
approaches taken by Microsoft and Mozilla. 

Microsoft subsequently released its new version of IE 10 with “do not track” 
turned “on” as a default setting, in direct conflict with the agreement they helped 
develop with the White House. 

Mozilla has implemented what it refers to as a “do not track” tool in the current 
Firefox release also without following the White House agreement, for example by 
not describing for consumer the impact of their choice and creating inaccurate con- 
sumer expectations. Mozilla’s interface permits users to check a box to “Tell 
websites I do not want to be tracked.” Nothing more is provided to users; for exam- 
ple, consumers are not told that, by exercising such choice some data may still be 
collected. This implementation conflicts with the workable standard developed 
through industry consensus in 2012 and does not provide consumers with clear in- 
formation about the effect of their choices. 

Question 8. Are DAA members currently acknowledging browser-based signals 
from users? 

Answer. The DAA’s Principles call on companies to provide consumer with choice 
with respect to the collection and use of web viewing data. To help companies imple- 
ment the Principle of Control, the DAA developed, implemented, and maintains a 
consumer choice page through which consumers can set their preferences. 

Until there is a universal meaning and implementation consistent with the Agree- 
ment at the White House across all browsers, DAA will continue to call for compa- 
nies to provide choice via DAA’s effective choice tools and not require companies to 
adhere to tools that that promote confusion for consumers and do not meet the 
DAA’s consensus standard for consumer control. 

Question 9. If not, what prevents them from doing so? 

Answer. The DAA seeks to develop universal standards that deliver a consistent 
user experience. Unfortunately, Microsoft and Mozilla implemented browser based 
choice mechanisms in ways that are inconsistent with the consensus achieved with 
the White House, Federal Trade Commission, the Department of Commerce, and the 
browser community. 

Until there is a universal meaning and implementation consistent with the Agree- 
ment at the White House, DAA will continue promote its current, effective choice 
tools and not require companies to adhere to tools that do not meet the DAA’s con- 
sensus standard for consumer control. 


^DAA Position on Browser Based Choice Mechanism, available at https:/ Iwww.aboutads 
. info ! resource ! download /DAA Commitment.pdf 
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Response to Written Questions Submitted by Hon. Ron Johnson to 

Luigi Mastria 

Question 1. What are the harms that are actually occurring to consumers through 
anonymous cookie-based “tracking?” As indicated in Mr. Mastria’s testimony, the 
primary privacy concerns for most consumers online have to do with identity theft, 
viruses and malware, and government surveillance. So, what harms are occurring 
that the FTC doesn’t currently already have the authority to address? 

Answer. I am unaware of any consumer harm caused by the use of cookies to as- 
sociate online data across sites and over time or any empirical evidence to support 
the idea that consumers are harmed from the collection and disclosure of this 
anonymized, aggregate data. Despite this lack of evidence of concrete harms, DAA- 
participating companies recognize that consumers have different preferences about 
online advertising and data collection. To continue to build consumer trust in the 
online experience, the DAA has developed principles that help ensure consumers 
have meaningful choices about how data is collected and used. For those consumers 
that do not want information collected via cookies, they may elect to opt out via a 
simple, easy-to-use choice mechanism available at www.aboutads.info ! choices. 

Cookies are a well-established and very transparent technology that benefits con- 
sumers in many ways, such as by facilitating the delivery of rich content, products, 
relevant content and advertising, and security and fraud prevention services. 

Cookies are also used to enable online advertising, which fuels the Internet eco- 
nomic engine. The online advertising industry is a beacon for innovation and job cre- 
ation. In 2012, Internet advertising revenues reached a new high of $36.6 billion, 
an impressive 15 percent higher than 2011’s full-year number.^ Because of this ad- 
vertising support, small and medium-size publishers can provide consumers with ac- 
cess to a wealth of online resources at low or no cost. Revenue from online adver- 
tising facilitates e-commerce and subsidizes the cost of content and services that 
consumers value, such as online newspapers, weather, Do-It-Yourself websites, 
blogs, social networking sites, mobile applications, e-mail, and phone services. Ac- 
cording to a recent poll by Zogby Analytics, 92 percent of Americans think free con- 
tent like news, weather and blogs is important to the overall value of the Internet.^ 

This cookie-based model delights consumers and creates jobs across America, fos- 
tering a competitive marketplace that drives down prices for consumers and costs 
for businesses. The Internet has become the focus and a symbol of the United 
States’ famed innovation, ingenuity, inventiveness, and entrepreneurial spirit, as 
well as the venture funding that flows from these enormously productive and posi- 
tive efforts. A 2009 study found that more than three million Americans are em- 
ployed due to the advertising-supported Internet, contributing an estimated $300 
billion, or approximately 2 percent, to our country’s GDP.^ There is employment 
generated by this Internet activity in every single congressional district across the 
United States.^ 

To help preserve this vibrant ecosystem, the DAA developed the Multi-Site Data 
Principles (“MSD Principles”) to provide consumers with control with respect to 
their Web viewing data used for advertising and non-advertising purposes while pre- 
serving commonly-recognized uses of data, including for operational purposes such 
as fraud prevention, intellectual property protection, compliance with law, authen- 
tication and verification purposes, billing, and product or service fulfillment. The 
MSD Principles also permit the use of data that has gone or will within a reason- 
able period of time from collection go through a de-identification process, or that is 
used for market research or product development. This approach helps ensure the 
continued flow of data that is vital to the workings of the Internet, to the consumer 
online experience, and for building tomorrow’s Internet. 

I have included a recent Zogby poll, which illustrates concrete concerns among 
consumers. Specifically, Americans’ privacy concerns are focused on real threats like 
identity theft, virus, malware, and cyber-bullying (see attached survey results). 
These harms are not caused by anon 3 Tnous, cookie-based data collection. 


1 Interactive Advertising Bureau Press Release, “Internet Ad Revenues Again Hit Record- 
Breaking Double-Digit Annual Growth, Reaching Nearly $37 Billion, a 15 percent Increase Over 
2011’s Landmark Numbers” (April 16, 2013) (reporting results of PricewaterhouseCoopers 
study). 

2 Interactive Survey of U.S. Adults commissioned by the DAA (April 2013), available at 

http:! ! www.ahoutads.info ! resource t image ! Poll ! Zogby _DAA Poll.pdf. 

3 Hamilton Consultants, Inc. with Professors John Deighton and John Quelch, Economic Value 
of the Advertising-Supported Internet Ecosystem, at 4 (June 10, 2009), available at http:! j 
www.iab. net / media Ifile! Economic-Value-Report.pdf. 

^Id. at 53. 
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Question 2. Response to Written Questions Submitted by Hon. to Mr. Anderson 
points out in his testimony that the digital advertising business has grown, reaching 
a record breaking $36.6 billion in 2012. As he puts it, “there is real money at stake.” 
Can you comment on the impact that government mandates, such as those proposed 
in several privacy bills, may have on your industry and the jobs that digital adver- 
tising supports? 

Answer. Government mandates and regulation, particularly in such a rapidly-de- 
veloping area as the digital space, can stifle innovation, reduce competition, slow job 
growth, and add unnecessary costs. In a congressional hearing on “Internet Privacy: 
The Impact and Burden of EU Regulation,” Professor Catherine Tucker of the MIT 
Sloan School of Management testified about the effect on advertising performance 
of the European Union’s e-Privacy Directive, which limits the ability of companies 
to collect and use behavioral data to deliver relevant advertising.® 

Professor Tucker’s research study found that the e-Privacy Directive — government 
mandates impacting the digital advertising ecosystem — was associated with a 66 
percent drop in advertising performance, measured as the percent of people express- 
ing interest in purchasing an advertised product.® The study also found that the ad- 
verse effect of such regulation was greatest for websites with content that did not 
relate obviously to any commercial product, such as general news websites. Pro- 
fessor Tucker cautions: “on the basis of this evidence, it is reasonable to say that 
privacy regulation could have sizable effects for the advertising-supported inter- 
net.” Professor Tucker advises that “polic 3 Tnaking in the area of privacy regulation 
needs to be careful and fulfill the twin aims of protecting consumer privacy and en- 
suring that the advertising-supported Internet continues to thrive.”® 

As noted above, in 2012, Internet advertising revenues reached a new high of 
$36.6 billion, an impressive 15 percent higher than 2011’s full-year number.® In ad- 
dition, a 2009 study found that more than three million Americans across the 
United States are employed due to the advertising-supported Internet, contributing 
an estimated $300 billion, or approximately 2 percent, to our country’s GDP.i® We 
remain concerned that laws and regulations are inflexible and can quickly become 
outdated in the face of extraordinarily rapidly-evolving technologies. When this oc- 
curs, legislation thwarts innovation and hinders economic growth and can impede 
a competitive marketplace that offers a full range of choice to consumers. We believe 
that our commitment to and success in advancing industry self-regulation is the 
most efficient and effective way to balance consumers’ interests in privacy and inno- 
vation. 


^Empirical Research on the Economic Effects of Privacy Regulation, Catherine Tucker (No- 
vember 8, 2011), available at http: ! I cetucker.scripts.mit.edu I docs I law summary 2011.pdf. 

Bid. at 5. 

Ud. at 2. 

Bid. at 3. 

® Interactive Advertising Bureau Press Release, “Internet Ad Revenues Again Hit Record- 
Breaking Double-Digit Annual Growth, Reaching Nearly $37 Billion, a 15 percent Increase Over 
2011’s Landmark Numbers” (April 16, 2013) (reporting results of PricewaterhouseCoopers 
study). 

Hamilton Consultants, Inc. with Professors John Deighton and John Quelch, Economic 
Value of the Advertising-Supported Internet Ecosystem, at 4 (June 10, 2009), available at http:! / 
www.iab.net ! media / file / Economic-Value-Report.pdf. 
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Attachment 


Interactive Survey of US Adults (April 2013) 


In your opinion, how important is free content like news, 
weather, email, blogs and videos to the overall value to the 
Internet? 

2 . 8 % 



Extremely important to the 
overall value of the internet 

Somewhat important to the 
overall value of the internet 

Somewhat unimportant to the 
overall value of the Internet 

Completely unimportant to the 
overall value of the internet 

Not sure 


Maigin of Enor W- 3 2 percentage poins Subsets have a larger margin di erra than the whole data set As a rule we do not rely on the validdyof very small 
siCi^soflhei^ta. especially sets smaller than 90-75 respondents At that size subset we can make generalizations, but in th^ cases the data is more 
qualitative than quantitative 


Zogby 

Analytics 


Interactive Survey of US Adults (April 2013) 


Which of the following would you prefer: an Internet where there are 
no ads, but you would pay for most content like blogs, 
entertainment sites, video contact and social media, or today’s 
Internet model in which there are ads, but most content is free? 


I’d rather get free 
ad-supported content 

I’d rather pay for 
ad-free content 



Margin of &ror ■•^-32 percerjage poims Subsets have a larger margin of error than the whole data sei As a rule we do not rely on the validity of very small 
subseisofthedata, especially sets smaBer than 50-75 respondsms At that size subset we can makegenerakzations, but in these cases tt>e data is more 
qualitative than quantitative 


Zogby 

Analytics 
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Interactive Survey of US Adults (April 2013) 


Has an Internet ad ever helped you find an offer or product 
that you wouldn’t otherwise have known about? 



I Yes 
I No 
^ Not sure 


Margin of Error */- 3 2 percentage points Siijsets have a larger marg«i of error than the whole data set Asa rule wedonolrelyon the valid»y of very small 
subsets of the data, especially sets smaller than 50-75 responcfents At that see subset we can make generalizations, but m these cases the data ts mote 
qualitative than quantitative 


Zogby 

Analytics 


Interactive Survey of US Adults (April 2013) 


Have you ever purchased a product or service because you 
saw or clicked on an online advertisement? 



^ Yes 
B No 
I Not sure 


Margin of Error +/- 3.2 percentage points Sibisets have a larger ma^m of error than the whole data set. As a rule we do not rely on the valKkly of very small 
subsets of the data, especially sets smaller than 50-75 responc^ts. At that ^ subset we can make gener^zahons. but m these cases the data is more 
qualitative than quantitative 


Zogby 

Analytics 
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Interactive Survey of US Adults (April 2013) 


Has an online advertisement ever helped you save money on 
a purchase or saved you time in finding it? 



^ Yes 
I No 
B Not sure 


Margin of Error *1- 3 2 percentage poirts Subsets have a larger maign of error than the whole dsta set As a rule we do ml rely on the valxMy of very small 
subsetsofthedata.esp^lly sets smaller than 50-75 respoodents Al that size subset we can mefcegenerabations, but m these cases the data is m«e 
qualitative than quantitative 


Zogby 

Analytics 


Interactive Survey of US Adults (April 2013) 


Would you rather see Internet ads for random/generic 
products and services, or ads for products and services that 
reflect your interests? 



■ I’d rather see ads directed 
towards my interests 

■ I’d rather see ads for random 
products and services 

■ Both 
I Not sure 


Maigin of Enor ->/• 3 2 percentage points Subsets have a larger margin cf emcv than the whole data sel As a lule we do not rely on the validilyof very small 
subselsoflhecfeta, specially sets smallef than 50-75 respondents At that size subset we can make generalizations, but in these cases Ihedata is more 
qualitative than quantitative 


Zogby 

Analytics 
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Interactive Survey of US Adults (April 2013) 


Would you support a law that restricted how data is used for 
Internet advertising, but also potentially reduced the 
availability of free content like blogs and video sites online? 



B Yes 
H No 
^ Not sure 


Margin of Error */- 3.2 percentage points Subs^s have a larger margm ot error than the whole data sel. As a njfewe do not rely on the valKSy of very small 
subsets of the cbta, specially sets smaller than 50-75 respoiwits At that see subset we can make generakzatnns. but in these cases the data is more 
qualitative than quantitative 


Zogby 

Analytics 


Interactive Survey of US Adults (April 2013) 


Who should be making choices about what sorts of ads I see 
and how they are generated? 



■ I should be able to choose 
for myself 

■ The company that makes my 
browser software should choose 

■ The government should 
choose for me 

I Not sure 


Margin of Error ->/- 3 2 percentage points Subsets have a larger margn of error than the whole data set As a rule we do not rely on the validty of very small 
subsets of the cbta, especially sets smaller than 50-75 respcocfents At that see subset we can make generakzations, but in these cases the data is more 
qualitative than quantitative 


Zogby 

Analytics 
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Interactive Survey of US Adults (April 2013) 


What is your biggest concern about the Internet? 



Identity theft 


Viruses and maiware 

Cyber-bullying/stalking 

Government surveillance 
of data 

Behaviorally targeted 
internet advertising 

Not sure 


Margin of Error */- 3.2 percentage poirte Subs^s have a larger margin of error than the whole daia selAsatutewedonolrelyonihe vdKlIy of very small 
subsets of the cteta, epecelly sets smaller than 50-75 respoixtents At that see stbsel we can make generafealons, but in these cases the data is ntore 
qualitative than quantitative 


Zogby 

Analytics 


Interactive Survey of US Adults (April 2013) 


Do you trust the government to regulate how Internet 
advertising is delivered? 



I Yes 
I No 
^ Not sure 


Margin cf Error *1- 3 2 percentage points Subsets have a larger margin of error than the whole data set As a rule we do not rely on the valHMy of very small 
sub^sof the data, especially sets smaller than 50-75 respondents A1 that size subset we can make generakzaliors, but in these cases the data is more 
qualitative than quantitative 


Zogby 

Analytics 





85 


Interactive Survey of US Adults (April 2013) 


If a major Internet browser makes it harder for companies to 
display advertising to users, what do you think will be the impact 
on your user experience? 



■ I will have access to less 
free content 

I It will have no effect 

■ I will have access to 
more free content 

I Not sure 


Margin of Error V- 3 2 percentage poms Suteels have a larger margin of errct than the whole data set Asanjlewedonolretyonthe valKtty of very small 
subsetsofthedata, especially sets srnate than 50-75 respondents At that see subset we can make generakzations, but in these cases theoata is more 
qualitative than quantitative 


Zogby 

Analytics 


Methodology 


About the Survey: 

The Digital Advertising Alliance commissioned Zogby Analytics to conduct the 
survey of 1 ,000 U.S. likely voters nationwide from April 2-3, 2013. Slight weights 
were added to age, race, gender, region, party, education, and religion to more 
accurately reflect the population. The margin of error is +/- 3.2 percentage points. 

About Zogby Analytics: 

For three decades, the Zogby companies have produced polls with an 
unparalleled record of accuracy and reliability. Zogby telephone and interactive 
surveys have generally been the most accurate in U.S. Presidential elections 
since 1996. 

Zogby Analytics conducts a wide variety of surveys internationally and nationally 
in industries, including banking, IT, medical devices, government agencies, 
colleges and universities, non-profits, automotive, insurance and NGOs. 
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Response to Written Questions Submitted by Hon. John D. Rockefeller IV 

TO Justin Brookman 

Question 1. The DAA’s testimony focused largely on its own self-regulatory pro- 
gram, the basis of which can be found in its Self-Regulatory Principles for Multi- 
Site Data. Mr. Mastria says that the DAA’s choice mechanism is consistent with the 
recommendations of the Federal Trade Commission, and that its program and choice 
tools “share and meet the goals” of my Do-Not-Track legislation. Do you believe that 
the DAA’s self-regulatory program and choice mechanism, in their current form, are 
sufficient for consumers? Why or why not? 

Answer. CDT believes that the DAA’s self-regulatory program has made some im- 
provements in recent years in response to concerns voiced by consumers, regulators, 
and members of Congress. However, the current DAA opt-out structure still suffers 
from a number of fundamental flaws: 

• It only applies to advertisers that are members of the DAA; companies that 
don’t sign up and pay for membership are not included, and receive no indica- 
tion that indication that a user does not want to be tracked. Although Mr. 
Mastria repeatedly described the DAA pro^am as “universal” both in his writ- 
ten and oral testimony,^ at one point he admitted that the program only covers 
“90 to 97 percent” of the advertising ecosystem.^ Mr. Mastria did not reveal the 
methodology behind these numbers. 

• The DAA opt-out is almost always cookie-based. If a user deletes her cookies — 
or if they are routinely deleted by her anti-virus software, as is often the case — 
the opt-out disappears, and even DAA companies subsequently have no way of 
knowing that the user does not want to be tracked. Users do have the oppor- 
tunity to download and install browser add-ons to preserve opt-outs on the DAA 
site, but only if a user clicks on a vague link entitled “Protect My Choices” in 
the corner of the page.® The link is offered without any explanation or context 
about what “Protect My Choices” means. Somewhat confusingly, the opt-out 
page later implies that the only effective approach to protecting one’s choices 
is to periodically visit the DAA page: 

The opt out choices you select are stored in opt out cookies only in this 
browser, so you should separately set your preferences for other browsers 
or computers you may use. Deleting browser cookies can remove your opt 
out preferences, so you should visit this page periodically to review your 
preferences, or update to include new participating companies. 

• The opt-out only prevents users from seeing targeted ads, which are based on 
information gathered from tracking. However, it does not prevent tracking 
itself. While the DAA’s Multi-Site Principles in principle agree with the notion 
of collection limitation, in practice, the code’s bases for collection are extremely 
broad, and any justification to understand “consumer preferences and behaviors 
[or] research about consumers, products, or services” could justify individualized 
data collection despite the user’s opting out.’‘ 

• It is not clear how many consumers have noticed the ad icon or understand that 
it is intended to signal that behavioral data collection is occurring. Moreover, 
the interface through which users are presented their choices around tracking 
and opting out both through the AdChoices icon and on the DAA website are 
confusing.® For example, the TrustE interface lists a handful of tracking compa- 


1 Testimony of Luigi Mastria before the Senate Committee on Commerce, Science & Transpor- 
tation, Hearing on A Status Update on the Development of Voluntary Do-Not-Track Standards, 

April 24, 2013, http: I jwww.commerce.senate.gov I public I ?a=Files.Serve&File id=cd2e39e0-6825 

-4b8c-9789-40d26a72d457; Draft Transcript, Senate Committee on Commerce, Science & Trans- 
portation, Hearing on A Status Update on the Development of Voluntary Do-Not-Track Stand- 
ards, April 24, 2013, at 25—2. 

2 Draft Transcript, Senate Committee on Commerce, Science & Transportation, Hearing on A 
Status Update on the Development of Voluntary Do-Not-Track Standards, April 24, 2013, at 70— 
17. 

® Digital Advertising Alliance, Opt Out from Behavioral Advertising (Beta), httpijjwww 
.aboutads.info I choices I . 

'I Digital Advertising Alliance, Self- Regulatory Principles for Multi-Site Data, http:/ jwww 
.aboutads.info i resource / download / Multi-Site-Data-Principles.pdf. 

® A. M. McDonald and Lorrie Faith Cranor, Social Science Research Network, “Beliefs and be- 
haviors: Internet users’ understanding of behavioral advertising,” October 2010, http'.jjpa- 

pers.ssrn.com/ sols I papers.cfm/abstract id=1989092; Pedro G. Leon et al., Carnegie Mellon 

University CyLab, “Why Johnny can’t opt out: A usability evaluation of tools to limit online be- 
havioral advertising,” October 2011, http:/ / www.cylab.cmu.edu /research /techreports 12011/ 
tr cylabl 1 01 7.html. 
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nies, but not all for which a user could opt out. Even then, TrustE’s interface 
does not allow a user to opt out of all of even this handful — instead a user is 
instructed to go to the third-party service to opt out individually. You can only 
opt out of all DAA members if you click through to an undefined link reading 
“Industry Resources” in the corner of the page: 



Your Advertising Choices 


How doe# it work? 

Advertisers may cdiect data about your online browsing 
activity and use it to show you targMed ads (a process 
krxtwn as ‘behavlora! advenslng*). 

You can prevent trie companies listed below Awn showing 
you targeted ads by submitting opt-outs. Opting-out wUi 
only prevent targeted ads so you may continue to see 
generic (non-targeted ads) from these companies after 
you oM-out. 

You may opt In to behavtoraliy targeted ads anytime by 
delellng your browser's cookies. 




AD 

PROVDER 

TtrgmedAd . 

Generic Ad 

WEBSfTE 

■m 




Leam More 






Select All 

1 Company 

Company Typo 

- 

Statue 

Opi-oul 


- eXelMa Media 

Exchange 




- Experlan 

Data Provider / Aggregator 


‘1- 

- txi 

Attnlxjtlon / Analybcs 



• Magnetic (Oomdex) 

Exchange 


no cookie 


• Proximic 

Data Providor / Aggregator 




- Quenicast 

Data Provider / Aggregator 




Slmpll.f1 

Retargeting / OpQmlzation 


© 


- TARGUSinfo 

Data Provider / Aggregator 

no cookie 



• uKnow 

Retargeting / Opomizabon 


© 

1 


Educate Youraelf 


Leam more about behavioral advertising 
and your choices. 

[> Industry Resources > 

* reuSTe Resources » 


Contact TRUST# 


Questions? Concerns? Let us knowl 
Contact TRUSTe > 


Follow TRUST# 


In Sin Joss tor atspp tcsdsmy? Join us 
TONIGHT for • codcM hour eunqber 
ri0py/tcxVET4uO4Ym 


new poMtrom our EMEA director Qdlabovfo: is 
enforcetnent around the comer for ihe ELI 
CooWe Oiecove? Nip7/tcor22o8Q0ib 


About TRUST* Conleci Ut IVivecy Pokey Tame oT 8*>viee 

Question 2. Can the DAA’s existing self-regulatory scheme be narrowed or 
changed in some way as to place reasonable, meaningful limits on the collection of 
consumer’s information? How? 

Answer. As we have previously advocated,® any global opt out regime must more 
meaningfully address data collection and retention than the current DAA principles 
do. We believe that product improvement and market research should not be per- 
mitted exceptions that trump a user’s opt out instruction. Furthermore, we believe 
that DAA should require companies to state their data retention periods for legiti- 
mate permitted exceptions such as security and fraud prevention. 

However, improvements to the DAA still will not achieve universality of protec- 
tion. As I noted at the hearing in response to a question from Senator Heller, there 
are ad networks like Dataium that operate outside of the DAA that use personally 
identifiable information to track users’ web surfing habits.'^ Moreover, companies 
like Facebook and Twitter — who have more third-party tracking elements on 
websites than any ad network — are not DAA members and are not bound by their 
principles.® 

Ultimately, we believe that comprehensive data protection law is needed to ensure 
that all companies honor user control mechanisms online and offline. Self-regulatory 
codes of conduct such as the DAA principles and Do Not Track could qualify for safe 
harbor status under the privacy protection frameworks proposed by President 
Obama in his Consumer Privacy Bill of Rights, if the Federal Trade Commission 


® Center for Democracy & Technology, 'What Does Do Not Track Mean?, April 27, 2011, 
https: II www.cdt.org ! files I pdfs 1 20110447_DNT_v2.pdf; Erica Newland, CDT compromise pro- 
posal to the W3C Washington Face to Face meeting, April 7, 2012, http:! ! Iists.w3.org I Archives ! 
Public ! public-tracking / 20 12 Apr ! 0078.html. 

"^Jennifer Valentino-Devries and Jeremy Singer -Vine, “They Know What You’re Shopping 
For,” Wall Street Journal, December 7, 2012, http: II oniine.wsj.com ! article ! SB1000142412788 
7324784404578143144132736214.html. 

^Digital Advertising Alliance, Participating Companies, http:! ! www.aboutads.info ! partici- 
pating. 
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deems them sufficient to fully protect user privacy. Unfortunately, the current DAA 
code, despite significant improvement in recent years, would he unlikely to merit 
such a finding today. 


Response to Written Questions Submitted by Hon. Barbara Boxer to 
Justin Brookman 

Question 1. In your written testimony, you recommend that third-party companies 
he permitted to collect and use unique identifiers from users for operational pur- 
poses hut not for secondary purposes. How do you distinguish operational purposes 
from secondary purposes? 

Answer. We believe that data collection that is reasonably necessary for the deliv- 
ery of non-targeted advertising qualifies as a purpose for which a company may col- 
lect data despite a Do Not Track signal from the user. For example, a third-party 
ad network needs to collect a user’s IP address as well as information about the 
user’s device and browser just to be able to render an advertisement. We believe 
that cookies may in some cases be reasonably necessary to meaningfully prevent 
click-fraud and for accounting and attribution purposes. However, if those same nec- 
essary purposes could be reasonably accomplished without using cookies, companies 
should be prevented from using cookies for those purposes when Do Not Track is 
enabled. 

We believe that purposes such as targeted advertising, market research, and prod- 
uct improvement are secondary uses that are not necessary for the mere delivery 
of advertisements, and should be prevented when Do Not Track is enabled. While 
we certainly agree that there can be societal value from these activities, we believe 
that a user’s decision to disable cross-site tracking should be honored in these cases, 
and all others where the collection and retention of user data is not actually re- 
quired for third-party (non-behavioral) advertising to function. 

Question 2. How do consumers’ expectations differ with respect to first-party and 
third-party tracking? 

Answer. First-party tracking is considerably more intuitive than tracking by third 
parties. It is not particularly surprising to a user when Amazon suggests products 
based on items previously purchased from the service, when The New York Times 
recommends stories based on what you’ve read on their site, or when Weather.com 
remembers the locations for which you’ve requested weather forecasts. In each of 
these cases, the user has made the decision to utilize a service and to affirmatively 
provide information to the service, either actively (by purchasing products or filling 
out web forms) or at least passively (in the case of The New York Times above, by 
clicking on articles). 

On the other hand, users often have no relationship whatsoever with most third- 
party tracking elements on websites. They have not made the decision to interact 
with those services, and have not intended to provide them with information. More- 
over, third-party tracking services have the capacity to track users over multiple 
websites, so they have the ability to glean much more information about a user over 
a variety of disparate services, with little to no indication to the user that the track- 
ing is occurring other than potentially targeted advertisements. For these reasons, 
we believe that third-party tracking is of more privacy concern than first-party 
tracking, though we believe that users should have control over first-party tracking 
as well. However, Do Not Track was originally formulated as a means to address 
just the more vexing third-party tracking issue.® 

Question 3. Do you support Mozilla’s and Apple’s decisions to block third-party 
cookies by default? 

Question 4. What steps can be taken to address non-cookie tracking such as dig- 
ital fingerprinting? 

Answer. Given the proliferation of tracking in recent years i® and the lack of reli- 
able control over third-party data collection,!^ we believe that Mozilla’s and Apple’s 
decisions to disable third-party cookies are justified. Both companies can legiti- 


® Center for Democracy & Technology, Submission In advance of the FTC Town Hall, 
“Ehavioral Advertising: Tracking, Targeting, and Technology,” to be held November 1-2, 2007 
in Washington, D.C., October 31, 2007, https:! Iwww.cdt.org jprivacyl20071031consumer 
protectionsbehavioral.pdf. 

Julia Angwin, “The Web’s New Gold Mine: Your Secrets,” The Wall Street Journal, July 30, 
2010, http://online.wsj.comlarticlelSB10001424052748703940904575395073512989404.html; 

George Simpson, “Suicide by Cookies,” MediaPost, February 22, 2013, http:/ / www. media 
post.com/publications/article / 194073 / suicide-by-cookies.html#axzz2REncGaSy. 

!!See supra pp 1-2. 
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mately claim that the majority of users do not like behavioral advertising, as Micro- 
soft did in explaining why it pushes users to turn on Do Not Track during the in- 
stallation of Internet Explorer lOT^ On the other hand, Google’s decision to enable 
third-party cookie setting is defensible as well, so long as there are reliable controls 
through which users can disable such cookies. Fortunately, there appears to be suffi- 
cient competition among browsers at the moment to give users a range of options 
in balancing privacy and usability. 

While we are supportive of Apple’s and Mozilla’s decision to block third-party 
cookie setting by default, that is a short-term solution. Both browsers still make 
available other information to ad networks, including IP address and information 
about the configuration of the user’s browser, through which companies can identify 
users across services with some reliability using digital fingerprinting techniques. 
Currently, the only way to reliably prevent fingerprinting is through preventing 
third-party connections from websites. Unfortunately, this results in ad and widget 
blocking, which prevents publishers from serving even privacy-protective advertising 
(non-behavioral ads with limited data retention). We are hopeful that browsers will 
ultimately be able to obscure individual browsers enough — or otherwise limit infor- 
mation about browsers that can be called by third parties — that digital 
fingerprinting will no longer be a reliable tracking technique. However, until that 
occurs, users (or software acting on behalf of users) can justifiably block third par- 
ties that do not publicly commit to honor user requests to stop cross-site tracking. 


Response to Written Question Submitted by Hon. Frank R. Lautenbeeg to 

Justin Beookman 

Question. A 2010 Wall Street Journal series on online privacy illustrated the ex- 
tent to which individuals are being tracked and how the invasive practice can cause 
real harm. A recent high-school graduate, who had been identified by advertisers 
as concerned about her weight, told the paper she sees weight-loss ads every time 
she goes on the Internet. She said, “I’m self-conscious about my weight. I try not 
to think about it . . . then [the ads] make me start thinking about it.” Do you be- 
lieve this qualifies as a real harm? 

Many believe the lack of transparency — particularly with regard to 3rd party 
cookies — and an individual’s inability to know what personal information is actually 
being collected can cause real harm because consumers don’t have the ability to un- 
derstand how to protect themselves from invasive tracking. Do you agree that this 
is a harm? 

Do you believe that consumers have a basic right to privacy online? 

Answer. First of all, we do not believe that harm is the appropriate threshold to 
meet for when private companies should decide to comply with user preferences. “Do 
Not Track” is largely intended to mirror the opt-out regime that the advertising in- 
dustry already supports, but with some improvements to durability and scope. Pre- 
viously, neither browsers nor advertising companies argued that users should have 
to demonstrate harm in order to opt out of behavioral advertising, or to block or 
delete third-party tracking elements such as cookies. 

We agree that users can experience some degree of harm through being reminded 
that some unknown third parties possess sensitive and potentially embarrassing in- 
formation about the user, as in the weight loss example you suggest. However, more 
fundamentally, we believe that a user has a fundamental interest in protecting all 
their personal information from being exposed to unwanted parties — including an 
interest in shielding information about their web surfing from advertising compa- 
nies. Users have a right to read online content anonymously that stems from a nat- 
ural desire to preserve a personal space where our activities and motivations are 
not recorded, evaluated, and preserved. Unfortunately, online tracking today is 
hardly anonymous. In some cases, behavioral profiles are tied explicitly to person- 
ally identifying information. In other cases, because those profiles are persistently 
linked to individual devices, they necessarily could be tied to personally identifying 
information in the future (either by obtaining identifying information such as a 
name or e-mail address from a website that has possesses that information, or 


12 Brad Smith, Privacy and Technology in Balance?, Microsoft on the Issues, October 26, 2012, 

http: / / blogs, technet.com Ibl microsoft on the issues ! archive 120121 10126! privacy -and-techno 

logy-in-balance.aspx. 

12 Jennifer Valentino-Devries and Jeremy Singer-Vine, They Know What You’re Shopping For, 
Wall Street Journal, December 7, 2012, http: i j online.wsj.com j article i SB1000142412788 
7324784404578143144132738214.html; Jonathan Mayer, Tracking the Trackers: Where Every- 
body Knows Your Username, Center for Internet and Society Blog, October 11, 2011, http:! ! 
cyberlaw.stanford.edu / blog 1201 1 i 10 j tracking-trackers-where-everybody-knows-your-username. 
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through a subpoena to an Internet service provider for identifying information asso- 
ciated with an Internet protocol (IP) address. 

We do not believe, however, that this right — or privacy rights in general — are ab- 
solute. Many times they intersect with others’ free expression rights, such as the 
right of the press to report truthful factual information about individuals. Other 
times, we believe that information about individuals may justifiably be collected on 
an opt-out, instead of opt-in basis, based on the sensitivity of the information at 
stake. Many categories of behavioral data collection might fall into rights that are 
reasonably enforceable only on an opt-out basis. However, that opt-out right must 
be robust and scalable, so that users can stop (or at least meaningfully limit) data 
collection by third parties with which a user has no relationship. 


Response to Written Questions Submitted by Hon. Amy Klobuchar to 

Justin Brooman 

Question 1. Most consumers would like to believe that their information is private, 
secure, and accurate. However, with rapidly changing technologies and platforms 
consumers are no longer sure. Can you discuss how you feel consumers are reacting 
to the host of privacy options that are out there and share your views on if they 
are more or less trusting when it comes to online information? 

Answer. There is ample evidence that users are increasingly skeptical of online 
tracking behaviors, and that they reject the basic behavioral advertising model as 
ille^timate.i’^ Users are also starting to take advantage of tools to fight back 
against the monitoring of their online activities. A large percentage of users have 
installed anti-spyware/anti-virus software that deletes third-party tracking cookies 
on a regular basis. The most popular web extension on the Internet is Ad Block 
Plus, which prevents third parties from doing any tracking of users (but also pre- 
vents privacy-protective advertising as well).i® And over 17 percent of users have 
turned on “Do Not Track” in the Firefox web browser — despite the fact that it is 
not yet being honored by the majority of third-party trackers — with the percentage 
of Firefox mobile users likely to be significantly higher, 

Unfortunately, each of these approaches is imperfect. “Do Not Track” was con- 
ceived as a middle-ground solution that allows for the serving of third-party content 
while significantly limiting the amount of information that third parties can collect 
about users. If industry cannot agree to honor users’ Do Not Track signals, then 
browsers are likely to take more drastic actions to protect their user base. For years, 
privacy advocates have worried that in an arms race between users and ad net- 
works, users, who by and large lack the sophistication and technical skills of the 
ad networks, were destined to lose. However, with the browsers increasingly acting 
in accordance with the desires of their user base, that result is no longer a foregone 
conclusion. If trade associations continue to stick their heads in the sand and ignore 
consumer sentiment about their practices (instead of establishing a value propo- 
sition to users about behavioral advertising’s benefits), moves like Mozilla’s and Ap- 


i^See e.g., Scott Cleland, Americans Want Online Privacy — Per New Zogby Poll, PUBLIUS’ 
FORUM, June 9, 2010, http: 1 1 www.pubUusforum.com 1 2010 1 06 1191 americans-want-online-pri- 
vacy-per-new-zoghy-poll; Joseph Turow, Jennifer King, Chris Jay Hoofnagle, Amy Bleakley & 
Michael Hennessey, Contrary to What Marketers Say, Americans Reject Tailored Advertising 
and Three Activities that Enable It (Sept. 2009), http: II graphics8.nytimes.com /packages ! pdf ! 

business 1 20090929-Tailored Advertising.pdf. See also Alan F. Westin, Majority Uncomfortable 

with Websites Customizing Content Based Visitors Personal Profiles: Level of Comfort Increases 
when Privacy Safeguards Introduced, HARRISINTERACTIVE, April 10, 2008, http:/ /www 
.harrisinteractive.com I vault I Harris-Interactive-Poll-Research-MaJority-Uncomfortable-withWeb 
sites-Customizing-C-2008-04.pdf (in which majority of respondents said they were not com- 
fortable with online companies using their browsing behavior to tailor ads and content to their 
interests even when they were told that such advertising supports free services); John B. 
Horrigan, Use of Cloud Computing Services, PEW INTERNET & AMERICAN LIFE PROJECT, 
September 2, 2008, http:/ ! www.pewinternet.org / ~ / media ! / Files ! Reports ! 2008 / PIP Cloud 
.Memo.pdf.pdf (showing that 68 percent of users of cloud computing services say they would be 
very concerned if companies that provided these services analyzed their information and then 
displayed ads to them based on their actions). 

i^Firefox Add-ons, Mozilla.org, https:! I addons.mozilla.org I en-us! firefox! extensions I ?sort= 
users. 

i^Alex Fowler, Mozilla’s new Do Not Track dashboard: Firefox users continue to seek out and 
enable DNT, May 3, 2013, http://blog.mozilla.org/privacy/2013/05/03/mozillas-new-do-not- 
track-dashboard-firefox-users-continue-to-seek-out-and-enable-dnt ! ; Alex Fowler, Do Not Track 
Adoption in Firefox Mobile is 3x Higher Than in Desktop, Mozilla Privacy Blog, November 2, 
2011, http:/ / blog.mozilla.org / privacy / 2011 /II / 02 / do-not-track-adoption-in-firefox-mobile-is-3x- 
higher-than-desktop / . 
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pie’s to frustrate cross-site tracking will become the norm, and an inability to set 
cookies may be the least of their concerns. 

Question 2. What role should the Federal Trade Commission or the Department 
of Commerce have regarding Do-Not-Track? 

Answer. We believe that the FTC and Department of Commerce have been right 
to use the bully pulpit to call for the enactment of a voluntary Do Not Track stand- 
ard, but they are otherwise limited in what they can enforce. CDT has previously 
argued that the Federal Trade Commission could interpret its Section 5 authority 
more aggressively to implement the full range of Fair Information Practice Prin- 
ciples — to require transparency, data minimization, and a right to opt out of certain 
uses, including behavioral advertising. However, Section 5 is a vaguely worded 
statute, and it is not clear that the courts would agree with such an interpretation: 
indeed, Wyndham Hotels is certainly challenging in Federal court the FTC’s argu- 
ment that Section 5 requires companies to implement reasonable security practices 
to safeguard consumer data.^® 

We think it would be better for consumers and businesses to have more certainty 
about the scope of personal privacy protections, which is why we have long advo- 
cated for the enactment of reasonable, flexible comprehensive privacy legislation 
based on the Fair Information Practice Principles. We continue to believe that 
carefully crafted legislation is the best approach to encouraging legitimate innova- 
tion while preserving user’s ability to exercise control over their personal informa- 
tion. We do see a role for self-regulatory codes of conduct such as Do Not Track as 
a potential safe harbor under an omnibus privacy law, provided that the Federal 
Trade Commission deems them sufficient to fully protect user privacy. We are grati- 
fied that both the FTC and the White House have now called for the enactment of 
such comprehensive privacy legislation. It is now up to Congress to enact these pri- 
vacy protections into law. 


Response to Written Questions Submitted by Hon. Brian Schatz to 
Justin Beookman 

Question 1. One of the rallying cries of the online advertising industry against do- 
not-track defaults and additional regulation of online data collection is that, if you 
prevent online advertisers from collecting information about consumers online, you 
will jeopardize the availability of free content on the internet. Do you think that 
there is necessarily a trade-off between a universally recognized do-not-track system 
or standard and the availability of free content on the Internet? 

Answer. Behavioral advertising certainly provides some marginal value to the ad- 
vertising ecosystem, though it has not been demonstrated how significant this in- 
crease is. It is also not evident how much of the extra value provided by behavioral 
advertising is absorbed by the increased intermediaries in the digital advertising 
and data broker infrastructure, and how much trickles down to the first-party pub- 
lishers. Given the limited bargaining power of smaller, long-tail websites, it is not 
evident that they see much benefit from advertisements that are personalized based 
on web tracking. 

Moreover, it is important to note that the considerable majority of web advertising 
is not behavioral. Stanford research Jonathan Mayer estimated that behavioral ad- 
vertising constituted 4 percent of web advertising in 2009, though that number is 
likely rising as companies find more sophisticated and reliable methods to track 
users.2® 

Regardless of the extent of the trade-off, we believe that consumers should be the 
ones assessing the relative benefits, not industry or government. If a user turns on 
Do Not Track, and sites start to limit the content they make available to that user. 


u’ Center for Democracy & Technology, The Role of Privacy hy Design in Protecting User Pri- 
vacy: Comments of the Center for Democracy & Technology in regards to the FTC Consumer 
Privacy Roundtable, December 21, 2009, http: 1 1 www.ftc.gov lost comments /privacyroundtable I 
544506-00067.pdf 

Danielle Walker, Wyndham Hotels challenges FTC security suit over breaches, SC Maga- 
zine, September 11, 2012, http:l Iwww.scmagazine.com/wyndham-hotels-challenges-ftc-security- 
suit-over-breaches / article 1258559 1 . 

Center for Democracy & Technology, Testimony of Leslie Harris before the House Energy 
& Commerce Committee, Subcommittee on Commerce, Trade, and Consumer Protection on The 
BEST PRACTICES Act of 2010 and Other Federal Privacy Legislation, July 22, 2010, https:! / 
www.cdt.org j files i pdfs i CDT privacy bill testimony.pdf. 

Jonathan Mayer, Do Not Track Is No Threat To Ad-Supported Businesses, Center for Inter- 
net and Society Blog, January 20, 2011, http: i j cyberlaw.stanford.edu ! blog! 2011 i 01 j do-not- 
track-no-threat-ad-supported-businesses. 
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she should make the decision about whether to continue to block tracking, or to 
allow tracking just on this site, or to face the consequences of her decision and ac- 
cept less content — or to pay another price. However, we reject the paternalistic as- 
sertions that users should be deprived of control of their personal information be- 
cause of a judgment that it is in their best interests to have their browsing habits 
invisibly tracked online — despite significant evidence that consumers broadly reject 
such practices.21 

Question 2. In 2009, the FTC called on the online advertising industry to provide 
consumers with transparency, notice, and personal control to control behavioral ad- 
vertising — in the ensuing three years, do you think that online advertisers have suc- 
ceeded in providing that to consumers? 

Answer. The Digital Advertising Alliance has made improvements in recent years, 
most notably by enacting the Self-Regulatory Principles for Multi-Site Data in 2011. 
The most significant improvement was around the limitation of purposes for which 
behavioral data may be used, including a prohibition on the usage of behavioral 
data for employment, credit, health care treatment, and insurance eligibility.^^ 

However, those improvements are somewhat separate from transparency, notice 
and control. The DAA has embarked on a program to place an icon in all targeted 
advertisements as a method to provide notice to users. However, we are not con- 
vinced that this program has been successful in educating average users about be- 
havioral advertising. Anecdotally, when asking friends and acquaintances outside of 
privacy circles whether they have noticed the icon, the answer has been universally 
“no.” Moreover, the interface that a user encounters after clicking on the icon is 
often confusing and unintuitive.^^ 

The controls over behavioral data collection remain flawed: First, the opt-out only 
prevents users from seeing targeted ads, which are based on information gathered 
from tracking. However, it does not prevent tracking itself. While the DAA’s Multi- 
Site Principles in principle agree with the notion of collection limitation, in practice, 
the code’s bases for collection are extremely broad, and any justification to under- 
stand “consumer preferences and behaviors [or] research about consumers, products, 
or services” could justify individualized data collection despite the user’s opting 
out.24 

Second, the DAA opt-out is almost always cookie-based. If a user deletes her cook- 
ies — or if they are routinely deleted by her anti-virus software, as is often the case — 
the opt-out disappears, and even DAA companies subsequently have no way of 
knowing that the user does not want to be tracked. Users do have the opportunity 
to download and install browser add-ons to preserve opt-outs on the DAA site, but 
only if a user clicks on a vague link entitled “Protect My Choices.”^® The link is 
offered without any explanation or context about what “Protect My Choices” means. 
Somewhat confusingly, the opt-out page later implies that the only effective ap- 
proach to protecting one’s choices is to periodically visit the DAA page: 

The opt out choices you select are stored in opt out cookies only in this browser, 
so you should separately set your preferences for other browsers or computers 
you may use. Deleting browser cookies can remove your opt out preferences, so 
you should visit this page periodically to review your preferences, or update to 
include new participating companies. 

Question 3. Even if do-not-track is an available option for consumers, it does not 
seem to be an effective tool for protecting consumer’s privacy. First, online adver- 
tisers largely ignore do-not-track headers. Second, the lack of consensus on what do- 
not-track means, in terms of what data is still collected and for what purpose, ren- 
ders do-not-track meaningless. 

Is it true that, currently, when a user thinks he or she has opted out of tracking — 
whether it is through an opt-out cookie or using a do-not-track heading on a brows- 
er — online advertisers are still collecting information about that user for advertising 
purposes? 

Answer. Today, when a user turns on Do Not Track or opts out through the DAA 
process, behavioral data collection and retention is unaltered in most cases (some 
companies, such as Google, use non-unique opt-out cookies when a user opts out. 


See supra note 14. 

22 Self-Regulatory Principles for Multi-Site Data, Digital Advertising Alliance, November 2011, 
http: / / www.aboutads. info / resource ! download / Multi-Site-Data-Principles.pdf 
22 See supra p 3. 

2^ Digital Advertising Alliance, Self- Regulatory Principles for Multi-Site Data, http:l jwww 
.aboutads. info I resource / download I Multi-Site-Data-Principles.pdf 

22Digital Advertising Alliance, Opt Out from Behavioral Advertising (Beta), http:! Iwww 
.aboutads.info I choices I . 
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making it more difficult to correlate third-party users over time). We remain hopeful 
that a meaningful Do Not Track standard can be negotiated that will be adopted 
and enforced by major trade associations such as the DAA. However, even then, par- 
ticipation will be strictly voluntary, and tracking companies such as Dataium can 
simply choose not to pay to join a trade association and could continue to track 
users both online and off.^® Ultimately, we believe that baseline privacy legislation 
should be enacted that encourages adoption of codes of conduct such as Do Not 
Track by providing safe harbor status and deemed compliance for programs certified 
by the Federal Trade Commission.^^ Only then will companies be sufficiently 
incentivized to provide sufficiently robust privacy protections for users. 


Response to Written Questions Submitted by Hon. Ron Johnson to 
Justin Beookman 

Question 1. What are the harms that are actually occurring to consumers through 
anonymous cookie-based “tracking?” As indicated in Mr. Mastria’s testimony, the 
primary privacy concerns for most consumers online have to do with identity theft, 
viruses and malware, and government surveillance. So, what harms are occurring 
that the FTC doesn’t currently already have the authority to address? 

Answer. The Center for Democracy & Technology is willing to concede that iden- 
tity theft and malware may be of greater concern to the average user than online 
Internet tracking. However, that does not logically mean that consumers are not 
concerned about behavioral tracking as well; merely because one problem is consid- 
ered of more significance than another does not mean we should ignore the lesser 
problem. It would not be a valid argument, for example, to argue that Congress 
should ignore allegations that the Internal Revenue Service signaled out tea party 
groups 1 because a poll showed that Americans were relatively more concerned about 
the economy and job growth. And, it should be noted, identity theft and malware 
are currently illegal. The FTC and private citizens have legal tools to seek redress 
from bad actors who engage in those sorts of behaviors. 

On the other hand, users do not have robust tools to address online behavioral 
data collection, and a vast majority of Americans still consider that to be a prob- 
lem.2 Increasingly, we live in a world where everything we do is observable. Perva- 
sive closed-circuit television and drone surveillance, and the emergence of facial rec- 
ognition, may soon allow companies to persistently track users across space and 
over time by their individual identities.® Indeed, even the privacy that we expect 
inside our house is threatened by technological developments. Researchers at the 
University of Washington have uncovered ways to determine what television shows 


Jennifer Valentino-Devries and Jeremy Singer -Vine, “They Know What You’re Shopping 
For,” Wall Street Journal, December 7, 2012, http:! I online.ivsj.com I article I SB10001424127887 
324784404578143144132738214.html. 

See supra, p 4. 

1 See Mark Stanley, IRS Targeting of Tea Party Groups Shows Need for ECPA Reform; CDT 
Blog, May 10, 2013, https:/ / www.cdt.org I blogs Imark-stanley 1 1005irs-targeting-conservatiue- 
groups-illustrates-need-ecpa-reform. 

®See e.g., Scott Cleland, Americans Want Online Privacy — Per New Zogby Poll, PUBLIUS’ 
FORUM, June 9, 2010, http://www.publiusforum.eom/2010/06/19/americans-want-online-pri- 
vacy-per-new-zogby-poll; Joseph Turow, Jennifer King, Chris Jay Hoofnagle, Amy Bleakley & 
Michael Hennessey, Contrary to What Marketers Say, Americans Reject Tailored Advertising 
and Three Activities that Enable It (Sept. 2009), http://graphics8.nytinies.com/packages/pdf/ 

business / 20090929-Tailored Advertising.pdf. See also Alan F. Westin, Majority Uncomfortable 

with Websites Customizing Content Based Visitors Personal Profiles: Level of Comfort Increases 
when Privacy Safeguards Introduced, HARRISINTERACTIVE, April 10, 2008, http:/ / 
www.harrisinteractive.com / vault / Harris-Interactive-Poll-Research-Majority- Uncomfortable-with 
Websites-Customizing-C-2008-04.pdf (in which majority of respondents said they were not com- 
fortable with online companies using their browsing behavior to tailor ads and content to their 
interests even when they were told that such advertising supports free services); John B. 
Horrigan, Use of Cloud Computing Services, PEW INTERNET & AMERICAN LIFE PROJECT, 
September 2, 2008, http://www.pewinternet.org/~lmedial/Files/Reports/2008/PIP_Cloud 
.Memo.pdf.pdf (showing that 68 percent of users of cloud computing services say they would be 
very concerned if companies that provided these services analyzed their information and then 
displayed ads to them based on their actions). 

®See Harley Geiger, The Drones are Coming, CDT Blog, December 21, 2011, https:/ / 
www.cdt.org/blogs/harley-geiger/2112drones-are-coming; Harley Geiger, Facial Recognition and 
Privacy, CDT Blog, December 6, 2011, https:/ / www.cdt.org / blogs / harley-geiger / 612facial-rec- 
ognition-and-privacy / . 
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are being watched inside a home by measuring the electromagnetic radiation emit- 
ted from the power lines publicly observable outside your house."^ 

There is an incredible amount that we as a society have to gain from innovative 
new technologies, but there is also an incredible amount that we have to lose. With- 
out a framework in place to assure everyday consumers of the ability to limit the 
collection and retention of the minutiae of their lives by unknown third parties, any 
sense of a realm of personal privacy may completely evaporate. In short, we may 
lose: 

• Our right to read newspapers unnoticed: to throw a quarter into the vending 
box and grab a copy, to privately choose which articles we read and which we 
don’t, gradually slips away each time a local paper shutters its presses or halts 
print distribution. 

• Our right not just go for a drive unnoticed, but to talk to friends unnoticed, to 
write letters unnoticed,® to read books unnoticed, to watch a TV show unno- 
ticed, to buy a gift unnoticed — all of these rights are eroding as these activities 
move into the networked world and surveillance technologies become more so- 
phisticated. 

• Our right to walk down the street unnoticed, whether en route to a political 
rally or to a doctor’s office, is eroding as facial recognition technology advances 
and becomes more widely deployed.® 

The right to read online content anonymously stems from a natural desire to pre- 
serve a personal space where our activities and motivations are not recorded, evalu- 
ated, and preserved. Unfortunately, online tracking today is hardly anonymous. In 
some cases, behavioral profiles are tied explicitly to personally identifying informa- 
tion.^ In other cases, because those profiles are persistently linked to individual de- 
vices, they necessarily could be tied to personally identif 3 dng information in the fu- 
ture (either by obtaining identifying information such as a name or e-mail address 
from a website that has possesses that information, or through a subpoena to an 
Internet service provider for identif 3 dng information associated with an Internet pro- 
tocol (IP) address). 

People are understandably concerned with the creation of these stores of very per- 
sonal information about what they do online, as the information could subsequently 
be exposed through a data breach, obtained by law enforcement without due process 
of law (and for potentially illegitimate and ideologically discriminatory purposes), 
viewed internally by employees within the company, or used to offer differential 
prices and user experience without transparency. More fundamentally, many people 
merely want to have some control over the sharing of their reading habits — to be 
able to access the web without having dozens of companies storing and evaluating 
what they do online. Do Not Track is intended an opt-out for those people — a way 
for consumers to tell companies that they don’t want them looking over their shoul- 
der. As I noted during my testimony, the advertising industry has already conceded 
the need to address such user objections by offering its own opt-out program; Do 
Not Track simply offers a more persistent and scalable solution. 

CDT has previously argued that the Federal Trade Commission could interpret 
its Section 6 authority more aggressively to implement the full range of Fair Infor- 
mation Practice Principles — to require transparency, data minimization, and a right 
to opt out of certain uses, including behavioral advertising.® However, Section 5 is 
a vaguely worded statute, and it is not clear that the courts would agree with such 
an interpretation: indeed, Wyndham Hotels is certainly challenging in Federal court 
the FTC’s argument that Section 5 requires companies to implementreasonable se- 


^Miro Enev, et al, Televisions, Video Privacy, and Powerline Electromagnetic Interference, 
Working Paper, http:! I abstract.cs.ivashmgton.edu I ~miro I docs I ccs2011.pdf 
®USPS mail currently receives more privacy protections than does electronic mail. See, Fed- 
eral Statutes and Regulations Relation to the Privacy and Security of Mail, httpij / 
about.usps.com I who-we-are /privacy-policy I intelligent-mail-privacy. htm#H7. 

®See Harley Geiger, Facial Recognition and Privacy, CDT Blog, December 6, 2011, https:! ! 
www.cdt.org I blogs I harley-geiger 1 612facial-recognition-and-privacy I . 
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curity practices to safeguard consumer data.® We think it would be better for con- 
sumers and businesses to have more certainty about the scope of personal privacy 
protections, which is why we have long advocated for the enactment of reasonable, 
flexible comprehensive privacy legislation based on the Fair Information Practice 
Principles. 1® We continue to believe that carefully crafted legislation is the best ap- 
proach to encouraging legitimate innovation while preserving user’s ability to exer- 
cise control over their personal information. 

Question 2. You state on the one hand that browsers are increasingly competing 
on privacy but on the other hand that we need a comprehensive privacy law. That 
doesn’t add up to me. If industry is evolving its self-regulatory approach and brows- 
ers like our witness Mozilla is adopting its own standards, isn’t the marketplace 
working today? Wouldn’t new regulations thwart these important actions industry 
is undertaking today? 

Answer. We are hopeful that the market will be able to deliver a comprehensive 
solution to online behavioral tracking, which is why we have spent two years within 
the World Wide Web Consortium trying to negotiate a reasonable consensus stand- 
ard for Do Not Track. However, it is important to place this effort in historical con- 
text. We have been advocating for privacy protections over online behavioral profiles 
for over fifteen years now.i'^ Numerous previous efforts to address the issue have 
failed. At the same time, other industries have sprung up — such as mobile com- 
puting — that expose considerably more personal information than mere behavioral 
data, with often less control over that information, Personal privacy should not be 
a constant game of catch-up: tr 3 dng to append after-the-fact privacy protections to 
existing business models after press attention draws scrutiny to unwanted (and pre- 
viously unknown) practices. 

A properly crafted privacy law would incentivize companies to build privacy into 
products from the beginning. If the United States had a comprehensive privacy stat- 
ute such as we have previously supported,!"*^ I do not believe this hearing would 
have been necessary, as companies would have a legal requirement to recognize a 
user’s opt out request. That is not to say that a company would necessarily have 
to abide by that request. If a company were to insist on third party behavioral data 
collection as a condition of providing service to a consumer, privacy law should not 
interfere with such a business model in a robust marketplace. However, a privacy 
law could require that that business model be meaningfully messaged to a user — 
especially in response to an opt-out request — whereas today, much data collection 
and usage in not at all transparent to the average consumer. To the contrary, be- 
cause the primary privacy law in this country today is Section 5 of the FTC Act’s 
prohibition on deceptive practices, companies are meaningfully deincentivized from 
making privacy disclosures to consumers, because of the potential of exposing them- 
selves to liability if they do not live up to those statements (even inadvertently). 

Privacy law should not try to make choices for users, but should empower them 
to make their own decisions about data. Unfortunately, many voices in the privacy 
debate insist on making paternalistic decisions on behalf of users — either pre- 
scribing broad swaths of data collection and usage because consumers do not like 
the practice, or in justifying all hidden data collection and usage without user trans- 
parency or choice because it supports content that users might not want to pay for. 
We instead prefer a solution where consumers can make informed decisions about 
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their data, and to which companies in the marketplace can respond with a range 
of options. Unfortunately, consumers today trying to evaluate and choose among the 
data practices of various online and offline companies cannot get the information 
they desire. A privacy law would, inter alia require usable transparency, allowing 
the market to innovate in response to more meaningful signals about privacy prac- 
tices and user intent. 


Response to Written Questions Submitted by Hon. Barbara Boxer to 

Adam Thierer 

Question 1. In your written testimony, you express support for alternatives to Do 
Not Track such as the use of advertisers’ ad preference managers and “private 
browsing” browser settings. Are these alternative approaches as persistent as a Do 
Not Track signal? 

Answer. First, it is unclear at this stage exactly how persistent the Do Not Track 
signal would be because (a) the technical standard has not been finalized, and (b) 
it is unclear how many operators (advertisers, publishers, browser companies, etc) 
would honor the DNT request. Moreover, as I noted in my written testimony, even 
if Do Not Track takes root and some consumers turn it on, many will be incentivized 
by ad networks or publishers to opt right back in to “tracking” to retain access to 
sites and services they desire. In doing so, they may end up sharing even more in- 
formation than they do today. 

Regardless, to answer your original question, yes, some of these alternative ap- 
proaches are persistent, especially tools like cookie-blockers and “private browsing” 
browser settings. And, when used in combination, these tools can provide extremely 
effective privacy protection. Of course, it is also true that with each additional layer 
of privacy protection a user adds, the browsing experience may grow more cum- 
bersome. 

Question 2. Do consumers understand the extent to which their activities are 
tracked online? 

Answer. Evidence suggests that many consumers aren’t aware of how online ad- 
vertising and marketing work. It is also true that most consumers don’t read site 
privacy policies. However, as I noted in a recent law review article, ^ it is also true 
that most consumers don’t read or fully understand every proviso contained in the 
stacks of paper placed in front of them when they sign a home mortgage. The same 
is true for life insurance policies, which are full of incomprehensible provisions and 
stipulations, even though regulations govern those policies as well. It is also un- 
likely that consumers read and understand every provision of their car loan or war- 
ranty. The same is also true of mandatory Food and Drug Administration disclo- 
sures on pharmaceuticals. In each of these cases, far more is at stake for consumers 
than whatever “risk” they face by not fully comprehending online privacy policies. 
Accordingly, a certain amount of “rational ignorance” about privacy policies should 
be expected. Consumers will never be perfectly informed and it remains unclear ex- 
actly how much information they need for online markets to work effectively. 

Question 3. Do consumers expect to be tracked by third-party companies with 
which they have never interacted? 

Answer. Probably not, but it is unclear what harm comes from it. Meanwhile, 
enormous benefits accrue to those consumers from such “tracking.” Specifically, it 
helps keep the price of online sites and service low or at zero. Moreover, it allows 
new products and services to be targeted to the public. Nonetheless, more could be 
done to educate the public about data collection and online “tracking.” 

Question 4. How would you recommend educating consumers about the alter- 
native privacy-enhancing tools available to them? 

Answer. A multi-layered strategy is needed to better educate consumers and en- 
courage “digital citizenship.” For youth, privacy education begins at home with pa- 
rental guidance and mentoring about sensible online practices and behavior. Schools 
also have an essential role in mentoring youth about media literacy and acceptable 
online practices. Companies and trade associations also have a role here in that 
they should be doing more to inform users about what their data is being used for 
and how it benefits them. They should also better explain how to easily opt-out of 
data collection practices or, more simply, offer them simple tips for enhancing their 
online privacy. Many companies and trade associations already do this and much 
more. 


1 Adam Thierer, The Pursuit of Privacy in a World Where Information Control Is Failing, 36 
Harvard Journal of Law & Public Policy 409, 446-449 (2013). 
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Finally, government also has an important role in this educational process. In its 
most recent Strategic Plan, the Federal Trade Commission noted that, “Consumer 
and business education serves as the first line of defense against fraud, deception, 
and unfair practices.”^ The FTC already partners with several other Federal agen- 
cies to offer OnGuardOnline, a site that offers wide-ranging security, safety, and pri- 
vacy tips for consumers and businesses. As part of that effort, the FTC produces 
dozens of informational videos that are also available on dedicated YouTube page.^ 
Similarly, the FCC offers smartphone security advice on its website.^ State and local 
officials can also take steps to integrate privacy and security lessons and messaging 
into school curricula or other public awareness-building programs. 


Response to Written Questions Submitted by Hon. Frank R. Lautenberg to 

Adam Thierer 

Question 1. A 2010 Wall Street Journal series on online privacy illustrated the 
extent to which individuals are being tracked and how the invasive practice can 
cause real harm. A recent high-school graduate, who had been identified by adver- 
tisers as concerned about her weight, told the paper she sees weight-loss ads every 
time she goes on the Internet. She said, “I’m self-conscious about my weight. I try 
not to think about it . . . then [the ads] make me start thinking about it.” Do you 
believe this qualifies as a real harm? 

Answer. While the individual may take great offense at such messages, it would 
be hard to classify them as “harmful,” at least in a legally actionable sense. More 
importantly, such commercial messages are protected by the First Amendment since 
they convey useful information. 

Question 2. Many believe the lack of transparency — particularly with regard to 
3rd party cookies — and an individual’s inability to know what personal information 
is actually being collected can cause real harm because consumers don’t have the 
ability to understand how to protect themselves from invasive tracking. Do you 
agree that this is a harm? 

Answer. Consumers have the ability to protect themselves from all forms of online 
“tracking,” even if they do not understand how those things work in practice. The 
privacy tools already on the market today — which are widely available and either 
free of charge or very inexpensive — can be extremely effective in terms of protecting 
user privacy. 

Question 3. Do you believe that consumers have a basic right to privacy online? 

Answer. Citizens have a right to be free of actual harms to themselves or their 
property, but privacy has always been a highly subjective philosophical concept. It 
is also a constantly morphing notion that evolves as societal attitudes adjust to new 
cultural and technological realities. For these reasons, America may never be able 
to achieve a coherent fixed definition of the term or determine when it constitutes 
a formal right outside of some narrow contexts.® For example, some specific uses 
of highly sensitive personal information may create harms, but laws already exist 
to deal with such concerns as they relate to health and financial privacy, among oth- 
ers. 


Response to Written Questions Submitted by Hon. Ron Johnson to 

Adam Thierer 

Question 1. What are the harms that are actually occurring to consumers through 
anonymous cookie-based “tracking?” As indicated in Mr. Mastria’s testimony, the 
primary privacy concerns for most consumers online have to do with identity theft, 
viruses and malware, and government surveillance. So, what harms are occurring 
that the FTC doesn’t currently already have the authority to address? 

Answer. As recent privacy-related enforcement actions against both Coogle ^ and 
Facebook^ illustrate, the FTC already has broad discretion and plenary authority 


2 Federal Trade Commission, Federal Trade Commission Strategic Plan for Fiscal Years 2009 
to 2014, 4, http:! / www.ftc.gov ! opp ! gpra! spfy09fyl4.pdf. 

^http:! / www.youtube.com I user / FTCvideos. 

* http: / / www.fcc.gov ! smartphone-security. 

® Adam Thierer, The Pursuit of Privacy in a World Where Information Control Is Failing, 36 
Harvard Journal of Law & Public Policy 409, 414-417 (2013). 

^Alex Howard, Google Reaches Agreement with FTC on Buzz Privacy Concerns, 
Gov 20 .Govfresh, March 30, 2011, http:l I gov20.govfresh.com I google-reaches-agreement-with-ftc- 
on-buzz-privacy -concerns. 

2 Brent Kendall, Facebook Reaches Settlement with FTC on Privacy Issues, Wall St. J., Nov. 
29, 2011, http:! j online.wsj.com I article I BT-CO-20111l29-710865.html. 
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under Section 5 of the FTC Act to hold companies to the promises they make to 
their users as it pertains to information collection and data security.^ In consent de- 
crees with both those companies, the FTC extracted a wide variety of changes to 
their privacy and data collection practices while also demanding that they undergo 
privacy audits for the next 20 yearsA 

Thus, the FTC certainly is not lacking the authority to address these issues. Pro- 
fessors Kenneth A. Bamberger and Deirdre K. Mulligan note that, “since 1996 the 
Federal Trade Commission has actively used its broad authority under Section 5 
. . . to take an active role in the governance of privacy protection, ranging from 
issuing ^idance regarding appropriate practices for protecting personal consumer 
information, to bringing enforcement actions challenging information practices al- 
leged to cause consumer injury.® 

Question 2. It has been estimated that American websites would lose $33 billion 
over five years if Congress mandates EU-style opt-in consent for interest-based ad- 
vertising. You stated in your testimony that restrictions on data collection could un- 
dermine America’s global competitive advantage in this space. Is this what you had 
in mind? 

Answer. Yes, that is exactly the sort of danger I was referring to in my testimony. 
If the American privacy regime was adjusted to look more like the one found in the 
European Union, which is far more regulatory in character, it is likely that compli- 
ance costs would increase for many online operators. “If applied to American compa- 
nies, these European laws would restrict the breakneck innovation of the commer- 
cial web,” argues the NetChoice Coalition, which represents a variety of online ven- 
dors.® Thus, privacy regulation could affect the global competitiveness of U.S. firms 
and diminish their competitive advantage in the global digital arena. 

Economists have verified this. “In a setting where first-party advertising is allow- 
able but third-party marketing is not, substantial advantages may be created for 
large incumbent firms,” argue Professors Avi Goldfarb and Catherine Tucker.'^ “Eor 
example, if a large wehsite or online service were able to use its data to market and 
target advertising, it will be able to continue to improve and hone its advertising, 
while new entrants will find it difficult to challenge the incumbent’s predominance 
by compiling other data or collecting their own data.” ® 

Goldfarb and Tucker found that “after the [European Union’s] Privacy Directive 
was passed [in 2002], advertising effectiveness decreased on average by around 65 
percent in Europe relative to the rest of the world.” ® They argue that because regu- 
lation decreases ad effectiveness, “this may change the number and types of busi- 
nesses sustained by the advertising-supporting Internet.” The European Union’s 
experience makes it clear that regulation of online advertising and data collection 
can affect market structure, competitive rivalry, and the global competitiveness of 
online firms.^^ 
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